Difference between revisions of "Attribution"

From International cyber law: interactive toolkit
Jump to navigation Jump to search
(Created page with "== Definition == <onlyinclude>Attribution of cyber activities is context-dependent – there are no universal ready-made ‘burdens, standards, and methods of proof’.<ref>T...")
 
 
(48 intermediate revisions by 6 users not shown)
Line 1: Line 1:
== Definition ==
+
As a rule, the conduct of State organs is attributable to the State in question;<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 4.</ref> by contrast, the conduct of non-State actors or third States’ organs can only be attributed to the State under specific circumstances.<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 8.</ref>
  
<onlyinclude>Attribution of cyber activities is context-dependent – there are no universal ready-made ‘burdens, standards, and methods of proof’.<ref>Tallinn Manual 2.0, Chapter 4 Section 1 chapeau, paragraph 8.</ref>
+
== State organs and persons and entities in exercise of governmental authority ==
  
However, in case a State is considering a response to an internationally wrongful act, as opposed to, for instance, providing evidence in a case before the ICJ, the standard of attribution is that of ‘reasonableness’, i.e. ‘States must act as reasonable States would in the same or similar circumstances when considering responses to them.’<ref>Tallinn Manual 2.0, Chapter 4 Section 1 chapeau, paragraph 10.</ref> Specific rules may apply to some responses, so according to a majority of the experts drafting the Tallinn Manual 2.0, when State A responds with countermeasures after misattributing an internationally wrongful act to State B, it commits an internationally wrongful act of its own, even though it correctly applied the ‘reasonableness’ standard of attribution.<ref>Tallinn Manual 2.0, Chapter 4 Section 1 chapeau, paragraph 12.</ref>
+
<section begin=State organs />
 +
{| class="wikitable mw-collapsible" style="background-color:#ffffcc;"
 +
|-
 +
! scope="col" style="background-color:#ffffaa;" | [[Attribution#State organs and persons and entities in exercise of governmental authority|State organs and persons and entities in exercise of governmental authority]]
 +
|-
 +
|[[File:State organs and persons and entities in exercise of governmental authority.svg|alt=|left|frameless|200x200px]]The following types of conduct of State organs and persons and entities in exercise of governmental authority are attributable to a State:
  
A State generally takes attribution for the conduct of its organs; the conduct of non-State actors or third States’ organs can be attributed to it only under specific circumstances.</onlyinclude>
+
# The conduct of any of the organs of that State, "whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State";<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 4(1).</ref>
 +
# The conduct of an organ of another State placed at the disposal of the State in question, if "the organ is acting in the exercise of elements of the governmental authority" of the latter State;<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 6.</ref>
 +
# The conduct of "a person or entity which is not an organ of the State […] but which is empowered by the law of that State to exercise elements of the governmental authority, […] provided the person or entity is acting in that capacity in the particular instance."<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 5.</ref><br>
 +
Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts <i>ultra vires</i>).<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 7; [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], commentary to rule 15, paras. 6-7 and 12.</ref>
 +
|}<section end=State organs />
 +
 
 +
== Non-State actors ==
 +
 
 +
<section begin=Non-State actors />
 +
{| class="wikitable mw-collapsible" style="background-color:#ffffcc;"
 +
|-
 +
! scope="col" style="background-color:#ffffaa;"| [[Attribution#Non-State actors|Non-State actors]]
 +
|-
 +
|[[File:Non-State actors.svg|alt=|left|frameless|200x200px]]Activities of non-State actors (groups and individuals) are generally not attributable to States. However, such conduct can be attributable to a State in particular if the actor is:
 +
 
 +
# "in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct";<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 8; see also Kubo Mačák, ‘[https://doi.org/10.1093/jcsl/krw014 Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors]’ (2016) 21 JC&SL 405.</ref>
 +
# "in fact exercising elements of the governmental authority in the absence or default of the official authorities and in circumstances such as to call for the exercise of those elements of authority";<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 9.</ref>
 +
# "an insurrectional movement which becomes the new Government of a State";<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 10(1).</ref> or
 +
# "a movement, insurrectional or other, which succeeds in establishing a new State in part of the territory of a pre-existing State or in a territory under its administration".<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 10(2).</ref>
 +
Additionally,
 +
# <li value="5">the conduct of a non-State actor is attributable to a State "if and to the extent that the State acknowledges and adopts the conduct in question as its own".<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], Art 11.</ref></li>
 +
|}<section end=Non-State actors />
 +
 
 +
== Evidentiary standards ==
 +
 
 +
<section begin=Evidentiary standards />
 +
{| class="wikitable mw-collapsible" style="background-color:#ffffcc;"
 +
|-
 +
! scope="col" style="background-color:#ffffaa;" | [[Attribution#Evidentiary standards|Evidentiary standards]]
 +
|-
 +
|[[File:Evidentiary standards.svg|alt=|left|frameless|200x200px]]Evidentiary standards applicable to the attribution of cyber activities are context-dependent.<ref>See further Marco Roscini, ‘[http://dx.doi.org/10.1093/acprof:oso/9780198717492.003.0011 Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations]’ (2015) 50 Texas International Law Journal 233; Isabella Brunner, Marija Dobrić and Verena Pirker, ‘Proving a State’s Involvement in a Cyber-Attack: Evidentiary
 +
Standards Before the ICJ’ (2015) 25 Finnish Yearbook of International Law 75; Tomohiro Mikanagi and Kubo Mačák, ‘[https://doi.org/10.4337/cilj.2020.01.03 Attribution of Cyber Operations: An International Law Perspective on the ''Park Jin Hyok'' case]’ (2020) 9 Cambridge International Law Journal 51, 64-68.</ref> The law of State responsibility as such does not contain generally applicable burdens, standards, or methods of proof,<ref>ILC [http://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf Articles on State Responsibility], commentary to chapter III, para 4 ("Questions of evidence and proof of such a breach fall entirely outside the scope of the articles."); ibid, commentary to Art 19, para 8 ("Just as the articles do not deal with questions of the jurisdiction of courts or tribunals, so they do not deal with issues of evidence or the burden of proof.").</ref> and these matters are instead ordinarily determined by the relevant forum.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], Chapter 4 Section 1, para 8.</ref>
 +
 
 +
However, in case a State is considering a response to an internationally wrongful act, the standard of attribution is that of "reasonableness", i.e. "States must act as reasonable States would in the same or similar circumstances when considering responses to them."<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], Chapter 4 Section 1, para 10; Cf. ''Yeager v Islamic Republic of Iran'' (1987) 17 Iran-US CTR 92, 101–02 (‘[I]n order to attribute an act to the State, it is necessary to identify with reasonable certainty the actors and their association with the State.’).</ref> This depends, among other factors, on the "reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved."<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], Chapter 4 Section 1, para 10.</ref> Nevertheless, there is no obligation to publicly provide the evidence.<ref>According to the UK Attorney General, "[t]here is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances." (UK Attorney General, Jeremy Wright QC MP, '[https://www.gov.uk/government/speeches/cyber-and-international-law-in-the-21st-century Cyber and International Law in the 21st Century]'; see also [https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], Chapter 4 Section 1 chapeau, paragraph 13.</ref>
 +
 
 +
Specific rules may apply to some responses, so when State A responds with countermeasures after misattributing an internationally wrongful act to State B, it commits an internationally wrongful act of its own, even though it correctly applied the "reasonableness" standard of attribution.<ref>[https://doi.org/10.1017/9781316822524 Tallinn Manual 2.0], Chapter 4 Section 1, para 12; see also ILC Articles on State Responsibility, Art 49, para 3 (“A State taking countermeasures acts at its peril, if its view of the question of wrongfulness turns out not to be well founded.”)</ref>
 +
|}<section end=Evidentiary standards />
  
 
== Appendixes ==
 
== Appendixes ==
  
 
=== See also ===
 
=== See also ===
 +
* [[Scenario 02: Cyber espionage against government departments]]
 +
* [[Scenario 05: State investigates and responds to cyber operations against private actors in its territory]]
 +
* [[Scenario 06: Cyber countermeasures against an enabling State]]
 +
* [[Scenario 08: Certificate authority hack]]
 +
* [[Scenario 11: Sale of surveillance tools in defiance of international sanctions]]
 +
* [[Scenario 13: Cyber operations as a trigger of the law of armed conflict]]
 +
* [[Scenario 14: Ransomware campaign]]
 +
* [[Scenario 17: Collective responses to cyber operations]]
  
 
=== Notes and references ===
 
=== Notes and references ===
Line 15: Line 64:
  
 
=== Bibliography and further reading ===
 
=== Bibliography and further reading ===
 
+
<!--
 
* MN Schmitt (ed), ''Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations'' (CUP 2017)
 
* MN Schmitt (ed), ''Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations'' (CUP 2017)
 
* Etc.
 
* Etc.
 +
-->
  
=== External links ===
+
[[Category:Attribution]]
 
+
[[Category:State organs]]
* (...)
+
[[Category:Non-State actors]]
 +
[[Category:Evidence]]
 +
[[Category:Legal concepts]]

Latest revision as of 13:46, 16 November 2020

As a rule, the conduct of State organs is attributable to the State in question;[1] by contrast, the conduct of non-State actors or third States’ organs can only be attributed to the State under specific circumstances.[2]

State organs and persons and entities in exercise of governmental authority[edit | edit source]

State organs and persons and entities in exercise of governmental authority
The following types of conduct of State organs and persons and entities in exercise of governmental authority are attributable to a State:
  1. The conduct of any of the organs of that State, "whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State";[3]
  2. The conduct of an organ of another State placed at the disposal of the State in question, if "the organ is acting in the exercise of elements of the governmental authority" of the latter State;[4]
  3. The conduct of "a person or entity which is not an organ of the State […] but which is empowered by the law of that State to exercise elements of the governmental authority, […] provided the person or entity is acting in that capacity in the particular instance."[5]

Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).[6]

Non-State actors[edit | edit source]

Non-State actors
Activities of non-State actors (groups and individuals) are generally not attributable to States. However, such conduct can be attributable to a State in particular if the actor is:
  1. "in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct";[7]
  2. "in fact exercising elements of the governmental authority in the absence or default of the official authorities and in circumstances such as to call for the exercise of those elements of authority";[8]
  3. "an insurrectional movement which becomes the new Government of a State";[9] or
  4. "a movement, insurrectional or other, which succeeds in establishing a new State in part of the territory of a pre-existing State or in a territory under its administration".[10]

Additionally,

  1. the conduct of a non-State actor is attributable to a State "if and to the extent that the State acknowledges and adopts the conduct in question as its own".[11]

Evidentiary standards[edit | edit source]

Evidentiary standards
Evidentiary standards applicable to the attribution of cyber activities are context-dependent.[12] The law of State responsibility as such does not contain generally applicable burdens, standards, or methods of proof,[13] and these matters are instead ordinarily determined by the relevant forum.[14]

However, in case a State is considering a response to an internationally wrongful act, the standard of attribution is that of "reasonableness", i.e. "States must act as reasonable States would in the same or similar circumstances when considering responses to them."[15] This depends, among other factors, on the "reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved."[16] Nevertheless, there is no obligation to publicly provide the evidence.[17]

Specific rules may apply to some responses, so when State A responds with countermeasures after misattributing an internationally wrongful act to State B, it commits an internationally wrongful act of its own, even though it correctly applied the "reasonableness" standard of attribution.[18]

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. ILC Articles on State Responsibility, Art 4.
  2. ILC Articles on State Responsibility, Art 8.
  3. ILC Articles on State Responsibility, Art 4(1).
  4. ILC Articles on State Responsibility, Art 6.
  5. ILC Articles on State Responsibility, Art 5.
  6. ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
  7. ILC Articles on State Responsibility, Art 8; see also Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JC&SL 405.
  8. ILC Articles on State Responsibility, Art 9.
  9. ILC Articles on State Responsibility, Art 10(1).
  10. ILC Articles on State Responsibility, Art 10(2).
  11. ILC Articles on State Responsibility, Art 11.
  12. See further Marco Roscini, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 233; Isabella Brunner, Marija Dobrić and Verena Pirker, ‘Proving a State’s Involvement in a Cyber-Attack: Evidentiary Standards Before the ICJ’ (2015) 25 Finnish Yearbook of International Law 75; Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of Cyber Operations: An International Law Perspective on the Park Jin Hyok case’ (2020) 9 Cambridge International Law Journal 51, 64-68.
  13. ILC Articles on State Responsibility, commentary to chapter III, para 4 ("Questions of evidence and proof of such a breach fall entirely outside the scope of the articles."); ibid, commentary to Art 19, para 8 ("Just as the articles do not deal with questions of the jurisdiction of courts or tribunals, so they do not deal with issues of evidence or the burden of proof.").
  14. Tallinn Manual 2.0, Chapter 4 Section 1, para 8.
  15. Tallinn Manual 2.0, Chapter 4 Section 1, para 10; Cf. Yeager v Islamic Republic of Iran (1987) 17 Iran-US CTR 92, 101–02 (‘[I]n order to attribute an act to the State, it is necessary to identify with reasonable certainty the actors and their association with the State.’).
  16. Tallinn Manual 2.0, Chapter 4 Section 1, para 10.
  17. According to the UK Attorney General, "[t]here is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances." (UK Attorney General, Jeremy Wright QC MP, 'Cyber and International Law in the 21st Century'; see also Tallinn Manual 2.0, Chapter 4 Section 1 chapeau, paragraph 13.
  18. Tallinn Manual 2.0, Chapter 4 Section 1, para 12; see also ILC Articles on State Responsibility, Art 49, para 3 (“A State taking countermeasures acts at its peril, if its view of the question of wrongfulness turns out not to be well founded.”)

Bibliography and further reading[edit | edit source]