Note on the structure of articles

Model structure of the analysis of international responsibility
The core of this toolkit consists of international cyber law scenarios. Each scenario describes an incident, or a series thereof, and then analyses these from the perspective of international cyber law. The central question of the legal analysis section is the following: Do the incidents described in the scenario amount to a violation of international law by any of the relevant actors? In order to answer that question, the section is typically divided into three main parts: (1) attribution, (2) breach, and (3) responses and justifications. Occasionally, one or even two of these parts may be missing, depending on which issues are raised by a particular scenario.

This structure broadly follows the logic of the law of international responsibility. According to this logic, an entity—most commonly, but not exclusively, a State —is only responsible for an internationally wrongful act if three conditions are met simultaneously: firstly, there is an action or omission which is attributable to the entity in question; secondly, that action or omission constitutes a breach of an international obligation of the said entity; and thirdly, there are no circumstances that would preclude the wrongfulness of such an action or omission. As far as the responsibility of States is concerned, the relevant rules are codified in the International Law Commission’s Articles on State Responsibility, which are generally considered to reflect customary international law.

The remainder of this note explains the basics of the relevant law from the perspective of its application to cyber operations of the kind discussed in the present toolkit. Its aim is to assist the readers in understanding the structure used in the analysis of the individual scenarios while avoiding unnecessary repetition in the text of those scenarios.

Attribution
The conduct of the actors in the scenario must be attributable to an entity that bears the relevant obligation under international law. For the most part, international law regulates the conduct of States, and therefore the section on attribution typical considers whether the relevant conduct is imputable to any of the States mentioned in the scenario. To the extent that non-State actors (such as international organizations, private companies or organized armed groups) bear specific legal obligations under international law, this is highlighted in the text and if attribution of specific conduct to such entities poses particular problems, this is also considered in the same section.

As far as attribution of conduct to States is concerned, it is useful to distinguish between, on the one hand, the conduct of State organs or in exercise of governmental authority and, on the other hand, the conduct of non-State actors:

The details of the individual modes of attribution are considered in the specific scenarios. In some cases, the aspect of evidence is considered:

Breach
Although the application of these rules to the particular facts is the task of the individual scenarios, the toolkit contains an overview of each of these rules from the perspective of cyber-related activities. These overviews provided in collapsible sections within the individual scenarios and they can also be accessed directly at the links above or through the general List of articles.

Responses and justifications
Some of the generally accepted circumstances precluding wrongfulness are responsive in nature, in the sense that they allow the relevant actor to claim that it is responding to a prior act of another entity or to a previously existing situation and that it is the fact of acting in response which justifies the lawfulness of the conduct in question. Accordingly, the scope of the third part of the legal analysis section is broader than a mere consideration of the applicable circumstances precluding wrongfulness. On occasion, other available responses (such as retorsions or responses authorized by the municipal law of the acting State) are also discussed, even if these do not serve to shield the acting entity from international responsibility.

Other responses may be available on the facts of the individual scenarios and are discussed there if appropriate.

Bibliography and further reading

 * MN Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017)
 * etc.