As a rule, the conduct of State organs is attributable to the State in question; by contrast, the conduct of non-State actors or third States’ organs can only be attributed to the State under specific circumstances.
|State organs and persons and entities in exercise of governmental authority|
Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).
| The law of State responsibility as such does not contain generally applicable burdens, standards, or methods of proof, and these matters are instead ordinarily determined by the relevant forum.
However, in case a State is considering a response to an internationally wrongful act, the standard of attribution is that of "reasonableness", i.e. "States must act as reasonable States would in the same or similar circumstances when considering responses to them." This depends, among other factors, on the "reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved." Nevertheless, there is no obligation to publicly provide the evidence.
Specific rules may apply to some responses, so when State A responds with countermeasures after misattributing an internationally wrongful act to State B, it commits an internationally wrongful act of its own, even though it correctly applied the "reasonableness" standard of attribution.
- Scenario 02: Cyber espionage against government departments
- Scenario 05: State investigates and responds to cyber operations against private actors in its territory
- Scenario 06: Cyber countermeasures against an enabling State
- Scenario 08: Certificate authority hack
- Scenario 11: Sale of surveillance tools in defiance of international sanctions
- Scenario 13: Cyber operations as a trigger of the law of armed conflict
- Scenario 14: Ransomware campaign
- Scenario 17: Collective responses to cyber operations
Notes and references
- ILC Articles on State Responsibility, Art 4.
- ILC Articles on State Responsibility, Art 8.
- ILC Articles on State Responsibility, Art 4(1).
- ILC Articles on State Responsibility, Art 6.
- ILC Articles on State Responsibility, Art 5.
- ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
- ILC Articles on State Responsibility, Art 8; see also Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JC&SL 405.
- ILC Articles on State Responsibility, Art 9.
- ILC Articles on State Responsibility, Art 10(1).
- ILC Articles on State Responsibility, Art 10(2).
- ILC Articles on State Responsibility, Art 11.
- See further Marco Roscini, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 233; Isabella Brunner, Marija Dobrić and Verena Pirker, ‘Proving a State’s Involvement in a Cyber-Attack: Evidentiary Standards Before the ICJ’ (2015) 25 Finnish Yearbook of International Law 75; Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of Cyber Operations: An International Law Perspective on the Park Jin Hyok case’ (2020) 9 Cambridge International Law Journal 51, 64-68.
- ILC Articles on State Responsibility, commentary to chapter III, para 4 ("Questions of evidence and proof of such a breach fall entirely outside the scope of the articles."); ibid, commentary to Art 19, para 8 ("Just as the articles do not deal with questions of the jurisdiction of courts or tribunals, so they do not deal with issues of evidence or the burden of proof.").
- Tallinn Manual 2.0, Chapter 4 Section 1, para 8.
- Tallinn Manual 2.0, Chapter 4 Section 1, para 10; Cf. Yeager v Islamic Republic of Iran (1987) 17 Iran-US CTR 92, 101–02 (‘[I]n order to attribute an act to the State, it is necessary to identify with reasonable certainty the actors and their association with the State.’).
- Tallinn Manual 2.0, Chapter 4 Section 1, para 10.
- According to the UK Attorney General, "[t]here is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances." (UK Attorney General, Jeremy Wright QC MP, 'Cyber and International Law in the 21st Century'; see also Tallinn Manual 2.0, Chapter 4 Section 1 chapeau, paragraph 13.
- Tallinn Manual 2.0, Chapter 4 Section 1, para 12; see also ILC Articles on State Responsibility, Art 49, para 3 (“A State taking countermeasures acts at its peril, if its view of the question of wrongfulness turns out not to be well founded.”)