Legal attribution is one of the constitutive elements of an international wrongful act, and consists of the attachment “of a given action or omission to a State”.
Many States, including Australia, Estonia, France, Germany, Italy and Switzerland have affirmed that there is no legal obligation to make or publicize decisions on attribution, but rather the act of attributing a cyber operation under international law is a national prerogative at the discretion of each State.
As a rule, the conduct of State organs is attributable to the State in question; by contrast, the conduct of non-State actors or third States’ organs can only be attributed to the State under specific circumstances.
[edit | edit source]
|State organs and persons and entities in exercise of governmental authority|
Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).
Non-State actors[edit | edit source]
Each of the three criteria entails a form of subordination between the non-State actor and the potentially responsible State. Regarding the criterion of control, there is a debate on the degree of control required for the attribution of the conduct to the State, as different tests have been developed.
On the one hand, the ICJ has affirmed that the exercise of “effective control” is necessary, which entails that the State is able to control the beginning of the relevant operations, the way they are carried out, and their end. This position has been expressly followed by some States in the realm of cyber operations, including Brazil, the Netherlands and Norway.
On the other hand, a less restrictive approach has been developed by the ICTY, and followed by the ICRC, under the “overall control” test, which requires the State in question (i) to provide the non-State entity with financial and training assistance, military equipment and/or operational support, and (ii) to participate in the organization, co-ordination or planning of operations of the entity in question. Nevertheless, the proponents of this test limit it to organized groups, meaning that the effective control test remains applicable for the conduct of private individuals, or unorganized groups.
Evidentiary standards[edit | edit source]
| The law of State responsibility as such does not contain generally applicable burdens, standards, or methods of proof, and these matters are instead ordinarily determined by the relevant forum.
It is generally understood that any allegation that a wrongful act has been committed by another State should be substantiated. Nevertheless, there is no obligation under international law to publicly provide the evidence on which an attribution is based. This has been reaffirmed by many States in their national positions, including Canada, Finland, France, Germany, Israel, the Netherlands, New Zealand, Sweden, Switzerland, the United Kingdom and the United States. Some States have additionally affirmed that a “sufficient level of confidence”, or “sufficient certainty” must be reached before making a decision on attribution.
In case a State is considering a response to an internationally wrongful act, the standard of attribution is that of "reasonableness", i.e. "States must act as reasonable States would in the same or similar circumstances when considering responses to them." This depends, among other factors, on the "reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved." The scope, scale, and impact of the incident have also been stressed as aspects that should be considered to support the assessment. The utility of cooperation at the regional and international levels for attribution purposes has also been highlighted.
Specific rules may apply to some responses, so when one State responds with countermeasures after misattributing an internationally wrongful act to another State, it commits an internationally wrongful act of its own, even though it correctly applied the "reasonableness" standard of attribution.
National positions[edit | edit source]
"Australia will, in its sole discretion, and based on its own judgement, attribute unlawful cyber activities to another State. In making such decisions, Australia relies on the assessments of its law enforcement and intelligence agencies, and consultations with its international partners. A cyber activity will be attributable to a State under international law where, for example, the activity was conducted by an organ of the State; by persons or entities exercising elements of governmental authority; or by non-State actors operating under the direction or control of the State."
"States and international courts have consistently recognized some of the ILC articles on state responsibility as customary international law, such as the rules for attribution. In the absence of any lex specialis for cyberspace, the customary norms concerning the attribution of conduct to a State are also applicable to the State’s use of ICTs. Hence, cyber operations are attributable to a State if they are conducted by a State organ, by persons or entities exercising elements of governmental authority, or by persons or groups “acting on the instructions of, or under the direction or control of,” the State. Regarding the latter criteria, for a private person or entity’s conduct be attributable to a State, it has to be proved that the state had “effective control” over the operations. It is clear, therefore, that a connection “must exist between the conduct of a [state] and its international responsibility.”
The technical difficulties in tracing cyber operations and in determining its authorship may lead to additional challenges in attributing an internationally wrongful act to a State. However, these added difficulties must not serve as a justification to lower the bar for determinations on attribution, which must be substantiated."
"32. Canada applies the customary international law on State responsibility to attribute wrongful conduct in cyberspace. Under the law of State responsibility, an important element is that of attribution, which involves the identification of a State as legally responsible for an internationally wrongful act. A State can be responsible directly, or indirectly where a non-State actor has acted on the instructions of, or under the direction or control of, that State. In this respect, States cannot escape legal responsibility for internationally wrongful cyber acts by perpetrating them through non-state actors who act on a State’s instruction or under its direction or control.
33. Attribution in its legal sense is of course distinct from the technical identification (or technical attribution) of the actor responsible for malicious cyber activity, whether State or non-State, as well as from the public denunciation of the responsible actor (political attribution). Further, Canada believes that the public attribution of internationally wrongful acts engages various political considerations beyond technical and legal attribution. To this end, States bear no obligation to publicly provide the basis upon which an attribution is made."
"[...] states have the right to attribute cyber operations both individually and collectively according to international law. Our ability and readiness to effectively cooperate among allies and partners in exchanging information and attributing malicious cyber activities has improved. The opportunities for malicious actors to walk away from their harmful actions with plausible deniability are clearly shrinking. Last year demonstrated that states are able to attribute harmful cyber operations both individually or in a coordinated manner. It is not something unachievable and endlessly complex. At the end of the day what is required from the attributing state, is not absolute certainty but what is reasonable. When assessing malicious cyber operations we can consider technical information, political context, established behavioural patterns and other relevant indicators."
|A cyber operation is deemed an internationally wrongful act when it is attributable to a state under international law and involves a breach of an international obligation of the state.|
"Attribution remains a national political decision based on technical and legal considerations regarding a certain cyber incident or operation. Attribution will be conducted on a case-by-case basis, and various sources as well as the wider political, security and economic context can be considered.
According to Article 2(a) of ARSIWA, an internationally wrongful act of a state has taken place when the conduct consisting of an action or omission is attributable to a state and the action or omission is wrongful under international law. Attribution allows establishing if a malicious cyber operation is linked with a state in order to invoke the responsibility of that state.
A state as a subject of international law can exercise its rights and obligations through its organs and in some instances by natural and legal persons. The attribution of an internationally wrongful act, including an internationally wrongful cyber operation, requires careful assessment of whether and how malicious activity conducted by a person, a group of persons or legal persons can be considered as the act of a state. In principle, both acts and omissions are attributable to states.
Attribution is closely related to the availability of information of the malicious cyber operation. Following the various necessary assessments, public statements on attribution can be made, with the aim of increasing accountability in cyberspace and emphasising the importance of adhering to international law obligations and norms of responsible state behaviour."
"An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged. It is in this regard useful to distinguish identification as a technical operation from attribution as a legal operation. Identification may be technically challenging given the often covert nature of hostile cyber activities but this is without consequence to the legal rules of attribution."
"Public attribution, as a sovereign choice, is primarily a question of political consideration. Public attribution may nevertheless have legal effects to the extent it includes determinations of conduct that constitutes an internationally wrongful act."
"The attribution of a cyberattack having its origin in another State is a national political decision. When a cyberattack is detected, France takes the necessary steps to categorise it, which may include neutralising its effects.
Identification of the instigator is based mainly, though not solely, on technical information gathered during investigations of the cyberattack, especially identification of the attack and transit infrastructure for the cyberoperation and its location, identification of the adversary methods of operation (AMO), the overall chronology of the perpetrator’s activities, the scale and gravity of the incident and the compromised perimeter, or the effects sought by the attacker. This information can help to determine whether or not a link exists between the instigators and a State.
A cyberattack is deemed to have been instigated by a State if it has been perpetrated by a State organ, a person or entity exercising elements of governmental authority, or a person or group of persons acting on the instructions of, or under the direction or control of that State.
The identification of a State as being responsible for a cyberattack that is an internationally unlawful act does not in any way oblige the victim State to make a public attribution. Such attribution is a discretionary choice made, inter alia, according to the nature and origin of the operation, the specific circumstances and the international context. It is a sovereign decision insofar as France reserves the right to attribute publicly, or not, a cyberattack against it and to bring that information to the attention of its population, other States or the international community. This policy does not rule out close coordination with France’s allies and partner States, including international or regional organisations, in particular the European Union (EU) and the North Atlantic Treaty Organisation (NATO). However, while the decision may go as far as collective attribution of a cyberattack, it lies solely with France. In addition, international law does not require States to provide the evidence on which the public attribution of a cyberattack is based, though such information helps to legitimise the validity of such attribution. In all events, a decision not to publicly attribute a cyberattack is not a final barrier to the application of international law, and in particular to assertion of the right of response available to States.
The capabilities of the Armed Forces Ministry contribute to the process of characterising cyber-attacks against the French State. The public attribution of a cyberattack against France is a national political decision. Although this power may be exercised in coordination with other States or international organisations, it is prima facie a sovereign prerogative."
"Attributing a cyber incident is of critical importance as a part of holding States responsible for wrongful behaviour and for documenting norm violations in cyberspace. It is also a prerequisite for certain types of responsive action. As regards the attribution of certain acts to States under international law, Germany applies the relevant customary law rules on State responsibility also to acts in cyberspace, subject to any lex specialis provisions. Inter alia, cyber operations conducted by State organs are attributable to the State in question. The same applies with regard to persons or entities which are empowered by the law of a State to exercise elements of the governmental authority and act in that capacity in the particular instance. Attribution is not excluded because such organ, person or entity acting in an official capacity exceeds its authority or contravenes instructions – cyber operations conducted ultra vires are likewise attributable to the State in question. This applies a maiore ad minus when only parts of an operation are ultra vires.
Moreover, cyber operations conducted by non-State actors which act on the instructions of, or under the direction or control of, a State are attributable to that State. The same principles apply as in the physical world: if a State recurs to private actors in order to commit an unlawful deed, the actions by the private actor will regularly be attributable to the State. States should recognize that they are accountable for the actions of proxies acting under their control. The State must have control over a specific cyber operation or set of cyber operations conducted by the non-State actor. While a sufficient degree or intensity of such control is necessary, the State is not required to have detailed insight into or influence over all particulars, especially those of a technical nature, of the cyber operation. A comprehensive assessment of the circumstances of the individual case will be necessary to establish an attributive link.
The application of the international rules on State responsibility and hence the act of formally attributing a malicious cyber operation to a State under international law is first and foremost a national prerogative; however, international cooperation and exchange of information with partners in this regard can be of vital importance. In practice, establishing the facts upon which a decision on attribution may be based is of specific concern in the context of cyber operations since the author of a malicious cyber operation may be more difficult to trace than that of a kinetic operation. At the same time, a sufficient level of confidence for an attribution of wrongful acts needs to be reached. Gathering relevant information about the incident or campaign in question has a technical dimension and may involve processes of data forensics, open sources research, human intelligence and reliance upon other sources – including, where applicable, information and assessments by independent and credible non-state actors. Generating the necessary contextual knowledge, assessing a suspected actor’s motivation for conducting malicious cyber operations and weighing the plausibility of alternative explanations regarding the authorship of a certain malicious cyber act will likewise be part of the process. All relevant information should be considered.
Germany agrees that there is no general obligation under international law as it currently stands to publicize a decision on attribution and to provide or to submit for public scrutiny detailed evidence on which an attribution is based. This generally applies also if response measures are taken. Any such publication in a particular case is generally based on political considerations and does not create legal obligations for the State under international law. Also, it is within the political discretion of a State to decide on the timing of a public act of attribution. Nevertheless, Germany supports the UN Group of Governmental Experts’ position in its 2015 report that accusations of cyber-related misconduct against a State should be substantiated. States should provide information and reasoning and – if circumstances permit – attempt to communicate and cooperate with the State in question to clarify the allegations raised. This may bolster the transparency, legitimacy and general acceptance of decisions on attribution and any response measures taken.
Attribution in the context of State responsibility must be distinguished from politically assigning responsibility for an incident to States or non-State actors: Generally, such statements are made at the discretion of each State and constitute a manifestation of State sovereignty. Acts of politically assigning responsibility may occur in cooperation with partners. As regards attribution in the legal sense, findings of national law-based (court) proceedings involving acts of attribution, for example in the context of criminal liability of certain office holders or non-State actors, may serve as indicators in the process of establishing State responsibility. However, it should be borne in mind that the criteria of attribution under international law do not necessarily correspond to those under domestic law and that additional or specific criteria are generally relevant when establishing State responsibility for individually attributed conduct. Moreover, the adoption of targeted restrictive measures against natural or legal persons, entities or bodies under the EU Cyber Sanctions Regime does not as such imply the attribution of conduct to a State by Germany in a legal sense."
"The issue of attribution is also widely debated with respect to cyber operations. Some have suggested that there needs to be more legal certainty with respect to attribution, in order to avoid mistaken attribution, which can lead to conflict escalation. This is increasingly becoming more of a theoretical issue. Over time, the attribution capabilities of States have improved, and even States with lesser capabilities have been able to rely on solid information provided by other States and by the private sector. In any event, this is a technical matter—a factual one—and I would advise against over-regulating the issue.
That being said, there is also the question of public perceptions—because sometimes, when an offensive cyber operation is public, and the attribution is public, the government needs to communicate with its citizens, and with the international community at large, in order for its positions and actions to be understood. But there will be cases when a State will prefer not to disclose the attack, the attribution, or any ensuing actions taken—for diverse reasons such as national security and foreign relations. Either way, as a matter of international law, the choice whether or not to disclose the attribution information remains at the exclusive discretion of the State."
"Attributing responsibility of cyber activities is a complex matter which has led to different approaches across the international community.
Italy sees merit in contributing to the international law debate on the matter. Italy deems that attribution is a national sovereign prerogative and so is the decision to make it public or not, on a case-by-case basis.
Italy is aware that attribution entails technical, legal and political considerations. With regard to the attribution of cyber wrongful acts by States, Italy considers that any attribution should be based on a sufficient level of confidence on the source of the cyber activities in question and on the identity of the actor(s) responsible. Although under international law there is no general obligation thereto, Italy stresses the importance of transparency: attribution of cyber wrongful activities should therefore be reasonable and credibly based on factual elements related to relevant circumstances of the case. This would be especially required should attribution become part of international courts and/or arbitration proceedings, with the exception of States’ classified information."
"There is an internationally wrongful act of a State when the act is attributable to the State under international law and when the act constitutes a breach of an obligation of the State under international law. There are legal, political and technical aspects in discussing the attribution of conduct to a State with respect to cyber operations.
To invoke State responsibility under international law with respect to any act in cyberspace, it is necessary to consider whether the act is attributable to a specific State. On this topic, Articles 4 to 11 of the ILC’s Articles on State Responsibility provide useful reference. As a general rule, in such cases as a cyber operation conducted by a State organ, the act is considered to be attributable to the State. A cyber operation conducted by a non-State actor is, in principle, not attributable to a State. However, according to Article 8 of the ILC’s Articles on State Responsibility, the conduct of a person or group of persons shall be considered an act of a State if the person or group of persons is in fact acting on the instructions of, or under the direction or control of that State in carrying out the conduct." 
"For a state to be held responsible under international law for a cyber operation and, by extension, for a target state to be able to take a countermeasure in response,16 it must be possible to attribute the operation to the state in question. Any attribution of cyber operations is always based on a government decision. Special attention is paid to the degree to which the government has information of its own at its disposal or to which it is able to reach an independent conclusion concerning information it has obtained.
In the context of cyberspace, three forms of attribution can be distinguished:
- Technical attribution – a factual and technical investigation into the possible perpetrators of a cyber operation and the degree of certainty with which their identity can be established. - Political attribution – a policy consideration whereby the decision is made to attribute (publicly or otherwise) a specific cyber operation to an actor without necessarily attaching legal consequences to the decision (such as taking countermeasures). The attribution need not necessarily relate to a state; it may also concern a private actor. - Legal attribution – a decision whereby the victim state attributes an act or omission to a specific state with the aim of holding that state legally responsible for the violation of an obligation pursuant to international law.
In the case of legal attribution a distinction must be made between operations carried out by or on behalf of a state and operations carried out by non-state actors. An act by a government body in its official capacity (for example the National Cyber Security Centre) is always attributable to the state. An act by a non-state actor is in principle not attributable to a state. However, the situation changes if a state has effective control over the act or accepts it as its own act after the fact. In such a case, the non-state actor (or ‘proxy’) carries out the operation on the instructions of, or under the direction or control of that state. The threshold for establishing effective control is high. A financial contribution to the activities of a non-state actor, for example, is not sufficient.
In order to attribute a cyber operation it is not required that a state disclose the underlying evidence. Evidence in the legal sense becomes relevant only if legal proceedings are instituted. A state that takes countermeasures or relies on its inherent right of self-defence (see below) in response to a cyber operation may eventually have to render account for its actions, for example if the matter is brought before the International Court of Justice. In such a situation, it must be possible to provide evidence justifying the countermeasure or the exercise of the right of self-defence. This can include both information obtained through regular channels and intelligence.
Under international law there is no fixed standard concerning the burden of proof a state must meet for (legal) attribution, and thus far the International Court of Justice has accepted different standards of proof. The CAVV and the AIV rightly observe as follows in this regard: ‘International law does not have hard rules on the level of proof required but practice and case law require sufficient certainty on the origin of the attack and the identity of the author of the attack before action can be taken.’ In the government’s view, the burden of proof will indeed vary in accordance with the situation, depending on the seriousness of the act considered to be in breach of international law and the intended countermeasures."
"An internationally wrongful act can be attributed to a state if it was carried out by organs of the state, persons or entities empowered to exercise elements of governmental authority on behalf of that state, or agents acting on the instructions of, or under the direction or control of the state; or where the state acknowledges and adopts the act as its own.
States should act in good faith and take care when attributing legal responsibility to another state for malicious cyber activity. While international law prescribes no clear evidential standard for attributing legal responsibility for internationally wrongful acts, a victim state must be sufficiently confident of the identity of the state responsible. What constitutes sufficient confidence in any case will depend on the facts and nature of the activity. While any legal attribution should be underpinned by a sound evidential basis, there is no general obligation on the attributing state to disclose that basis. However, a state may choose as a matter of policy to disclose specific information that it considered in making its attribution decision, and may be required to defend any such decision as part of international legal proceedings".
"A State may be held responsible under international law for cyber operations conducted by an organ of the State or by actors exercising governmental authority on behalf of the State.
A State may be held responsible under international law for cyber operations conducted by non-State actors if these are conducted on the direct instructions of the State or under its direction or effective control. It may be technically challenging to establish that a relationship between a State and a non-State actor amounts to direct instructions, direction or effective control. However, this is a question of evidence, and not of lack of clarity of international law." 
"Norms of customary international law concerning the assignment of responsibility to a state are reflected to a large extent in the articles covering the states’ responsibility for internationally wrongful acts as adopted in 2001 by the International Law Commission (hereinafter referred to as “Articles on the Responsibility of States”).
The document reiterates that “Every internationally wrongful act of a State entails the international responsibility of that State.” (Article 1). A state is responsible for conduct consisting of both an action or omission that is attributable to the state under international law and constitutes a breach of an international obligation of the state (Article 2). Articles 4– 11 describe the rules governing the attribution of responsibility to a state. According to these rules, the State is responsible among others for the conduct of its organs, persons or entities which, even though they are not organs, are empowered by law to exercise governmental authority, as well as persons or groups of persons acting on the instructions of, or under the direction or control of that state.
The above norms also apply to conduct of states in cyberspace. The state may therefore be responsible for internationally wrongful acts of, for instance of hacker groups or individual hackers, if the conditions expressed in the Articles on the Responsibility of States are satisfied. At the same time, it should be remembered that the specific nature of cyberspace severely hampers the attribution of internationally wrongful acts to states or other actors."
"In cyber context, attribution (especially from the technical point of view) of the conduct to a State is difficult to determine given the fact that most of the times the actions are undertaken via proxies.
Therefore, if the conduct is not evident as being of a State organ, then, in order to be attributed to a State, it must be proven that it is:
- of a person or entity exercising elements of the governmental authority of that State
- of organs placed at the disposal of that State by another State
- of a person or entities acting under the instructions of, or under the direction or control of that State
In order to determine the degree of control reference should be made to the jurisprudence of the ICJ and of the various international courts and tribunals that have dealt with matters of State attribution."
"Under customary international law, a State is responsible for activities of its institutions, as well as that of individuals acting under its control. In information space it may be difficult to determine whether an individual is acting under control of a State or with its acquiescence. In this regard, it becomes increasingly relevant to formalize the norm of the 2015 GGE report stating that all accusations of organizing and implementing wrongful acts brought against States should be substantiated, as legally binding. In any case, one should refrain from publicly imposing responsibility for an incident in information space on a particular State without supplying necessary technical evidence".
"Cyber operations conducted by State organs are attributed to the State, as are cyber operations conducted by persons empowered to exercise elements of governmental authority if acting in that particular capacity. A State is normally not responsible for the conduct of individuals not empowered to exercise governmental authority. However, in situations where non-state actors act on the instructions or under the direction or control of a State, that conduct is attributed to the State. Conduct not attributed to a State may nevertheless be considered an act of that State if that State acknowledges and adopts the conduct as its own."
"Legal attribution must be distinguished from public attribution. Legal attribution is an integral part in the process to establish and characterise an act in legal terms, and there is no legal requirement to disclose any evidence in relation to the assessment of attribution of conduct. Publicizing a decision on attribution is the prerogative of sovereign States and is not a requirement under international law.
"Attribution of a cybersecurity incident refers to the identification of the perpetrator and describes a holistic, interdisciplinary process. This includes analysing the technical and legal aspects of the incident, factoring in the geopolitical context, and using the entire intelligence spectrum for the purpose of gathering information. Using this approach, a state can attribute a cyber incident to another state or a private actor, either publicly or not, and it can decide to take further political measures.
The process described above includes legal attribution, which ascertains whether a cyber incident can be legally attributed to a state and if that state can be held responsible under international law in accordance with the rules on state responsibility; it also concerns how the injured state may respond (known as countermeasures, see section 6.2). The conduct of any state organ or person exercising an inherently governmental function is always legally attributable to the state concerned.18 If a cyber incident is carried out by a non-state actor, it can only be attributed to a state under certain conditions. In such cases, state responsibility only arises if the non-state actor acts on the instructions of a state, or under the direction or control of state organs. If this requirement is met, the conduct constitutes an act by the state and is attributable to that state. The injured state is also permitted to take countermeasures (see section 6.2). If the required interstate dimension is lacking however, international law does not in principle permit countermeasures against another state.
The decision to attribute conduct is at the discretion of the injured state and there is no obligation under international law to disclose the information leading to such a decision. Allegations of the organisation or implementation of an unlawful act against another state should however be substantiated."
"These principles must be adapted and applied to a densely technical world of electronic signatures, hard to trace networks and the dark web. They must be applied to situations in which the actions of states are masked, often deliberately, by the involvement of non-state actors. And international law is clear - states cannot escape accountability under the law simply by the involvement of such proxy actors acting under their direction and control."
"As with other forms of hostile activity, there are technical, political and diplomatic considerations in publicly attributing hostile cyber activity to a state, in addition to whether the legal test is met.
There is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances.
However, the UK can and does attribute malicious cyber activity where we believe it is in our best interests to do so, and in furtherance of our commitment to clarity and stability in cyberspace. Sometimes we do this publicly, and sometimes we do so only to the country concerned. We consider each case on its merits.
For example, the WannaCry ransomware attack affected 150 countries, including 48 National Health Service Trusts in the United Kingdom. It was one of the most significant attacks to hit the UK in terms of scale and disruption. In December 2017, together with partners from the US, Australia, Canada, New Zealand, Denmark and Japan, we attributed the attack to North Korean actors. Additionally, our attribution, together with eleven other countries, of the destructive NotPetya cyber-attack against Ukraine to the Russian government, specifically the Russian Military in February this year illustrated that we can do this successfully. If more states become involved in the work of attribution then we can be more certain of the assessment. We will continue to work closely with allies to deter, mitigate and attribute malicious cyber activity. It is important that our adversaries know their actions will be held up for scrutiny as an additional incentive to become more responsible members of the international community."
"As well as bearing responsibility for acts of its organs and agents, a State is also responsible in accordance with international law where, for example, a person or a group of persons acts on its instructions or under its direction or control."
"The term ‘attribution’ is used in relation to cyberspace in both a legal and non-legal sense. It is used in a legal sense to refer to identifying those who are responsible for an internationally wrongful act. It is also used in a non-legal sense to describe the identification of actors (including non-state actors) who have carried out cyber conduct which may be regarded as hostile or malicious but does not necessarily involve an internationally wrongful act.
For the UK, there are technical and diplomatic considerations in determining whether to attribute publicly such activities in cyberspace. The decision whether to make a public attribution statement is a matter of policy. Each case is considered on its merits. The UK will publicly attribute conduct in furtherance of its commitment to clarity and stability in cyberspace or where it is otherwise in its interests to do so.
Whatever the nature of the attribution, there is no general legal obligation requiring a State to publicly disclose any underlying information on which its decision to attribute conduct is based."
"I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation."
"Coordination between States, in a more general sense, is also crucial in responding to hostile State activity in cyberspace and imposing a cost on those who seek to abuse the freedom and opportunity that technological progress has provided them. States are developing more sophisticated and coordinated diplomatic and economic responses. This can be seen in the response to the recent operation targeting Microsoft Exchange servers, where 39 partners including NATO, the EU and Japan coordinated in attributing hostile cyber activity to China. It can also be seen in the response to the Russian SolarWinds hack which saw coordinated US, UK and allied sanctions and other measures."
"States are legally responsible for activities undertaken through “proxy actors,” who act on the state’s instructions or under its direction or control. The ability to mask one’s identity and geography in cyberspace and the resulting difficulties of timely, high-confidence attribution can create significant challenges for states in identifying, evaluating, and accurately responding to threats. But putting attribution problems aside for a moment, established international law does address the question of proxy actors. States are legally responsible for activities undertaken through putatively private actors, who act on the state’s instructions or under its direction or control. If a state exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the state assumes responsibility for the act, just as if official agents of the state itself had committed it. These rules are designed to ensure that states cannot hide behind putatively private actors to engage in conduct that is internationally wrongful."
"[..]cyberspace significantly increases an actor’s ability to engage in attacks with “plausible deniability,” by acting through proxies. I noted that legal tools exist to ensure that states are held accountable for those acts. What I want to highlight here is that many of these challenges — in particular, those concerning attribution — are as much questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones."
"From a legal perspective, the customary international law of state responsibility supplies the standards for attributing acts, including cyber acts, to States. For example, cyber operations conducted by organs of a State or by persons or entities empowered by domestic law to exercise governmental authority are attributable to that State, if such organs, persons, or entities are acting in that capacity.
Additionally, cyber operations conducted by non-State actors are attributable to a State under the law of state responsibility when such actors engage in operations pursuant to the State’s instructions or under the State’s direction or control, or when the State later acknowledges and adopts the operations as its own.
Thus, as a legal matter, States cannot escape responsibility for internationally wrongful cyber acts by perpetrating them through proxies. When there is information — whether obtained through technical means or all-source intelligence — that permits a cyber act engaged in by a non-State actor to be attributed legally to a State under one of the standards set forth in the law of state responsibility, the victim State has all of the rights and remedies against the responsible State allowed under international law.
The law of state responsibility does not set forth explicit burdens or standards of proof for making a determination about legal attribution. In this context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State. Absolute certainty is not—and cannot be—required. Instead, international law generally requires that States act reasonably under the circumstances when they gather information and draw conclusions based on that information.
I also want to note that, despite the suggestion by some States to the contrary, there is no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action. There may, of course, be political pressure to do so, and States may choose to reveal such evidence to convince other States to join them in condemnation, for example. But that is a policy choice—it is not compelled by international law."
"The law of State responsibility supplies the standards for attributing acts, including cyber acts, to States. For example, cyber operations conducted by organs of a State or by persons or entities empowered by domestic law to exercise elements of governmental authority are attributable to that State. As important, as a legal matter, States cannot escape responsibility for internationally wrongful cyber acts by perpetrating them through proxies; cyber operations conducted by non-State actors are attributable to a State under the law of State responsibility when such operations are engaged in pursuant to the State’s instructions or under the State’s direction or control, or when the State later acknowledges and adopts the operations as its own. Thus, when there is information – whether obtained through technical means or all-source intelligence – that permits attribution of a cyber act of an ostensibly non-State actor to a State under the international law of State responsibility, the victim State has all of the rights and remedies against the responsible State permitted to it under international law.
The law of State responsibility does not set forth burdens or standards of proof for attribution. Such questions may be relevant for judicial or other types of proceedings, but they do not apply as an international legal matter to a State’s determination about attribution of internationally wrongful cyber acts for purposes of its response to such acts, including by taking unilateral, self-help measures permissible under international law, such as countermeasures. In that context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State. Absolute certainty is not required. Instead, international law generally requires that States act reasonably under the circumstances. Similarly, there is no international legal obligation to reveal evidence on which attribution is based. But to facilitate global understanding of emerging state practice in this rapidly developing area, public attributions should, wherever feasible, include sufficient evidence to allow corroboration or cross-checking of allegations.
Attribution plays an important role in States’ responses to malicious cyber activities as a matter of international law. It is crucial, however, to distinguish legal attribution from attribution in the technical and political senses. States and commentators often express concerns about the challenge of attribution in a technical sense – that is, the challenge in light of certain characteristics of cyberspace of obtaining facts, whether through technical indicators or all-source intelligence, that would inform a State’s policy and legal determinations about a particular cyber incident. Others have raised issues related to political decisions about attribution – that is, considerations that might be relevant to a State’s decision to go public and identify another State as the actor responsible for a particular cyber incident and to condemn a particular cyber act as unacceptable. As norms emerge to clarify how international law addresses the issue of attribution, it would be useful, wherever possible, for law-abiding states to share information regarding both technical knowhow and state practice."
Appendixes[edit | edit source]
See also[edit | edit source]
- Scenario 02: Cyber espionage against government departments
- Scenario 05: State investigates and responds to cyber operations against private actors in its territory
- Scenario 06: Cyber countermeasures against an enabling State
- Scenario 08: Certificate authority hack
- Scenario 09: Economic cyber espionage
- Scenario 11: Sale of surveillance tools in defiance of international sanctions
- Scenario 13: Cyber operations as a trigger of the law of armed conflict
- Scenario 14: Ransomware campaign
- Scenario 17: Collective responses to cyber operations
- Scenario 23: Vaccine research and testing
Notes and references[edit | edit source]
- ILC Articles on State Responsibility, commentary to Article 2, para 12.
- Australian Government, Australia's position on how international law applies to State conduct in cyberspace (2020)
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 28.
- Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019) 10.
- Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 11.
- Italian Ministry for Foreign Affairs and International Cooperation, 'Italian position paper on "International law and cyberspace"' (2021) 5.
- Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 6.
- ILC Articles on State Responsibility, Art 4.
- ILC Articles on State Responsibility, Art 8.
- ILC Articles on State Responsibility, Art 4(1).
- ILC Articles on State Responsibility, Art 5.
- ILC Articles on State Responsibility, Art 6.
- ILC Articles on State Responsibility, Art 7; Tallinn Manual 2.0, commentary to rule 15, paras. 6-7 and 12.
- ILC Articles on State Responsibility, Art 8; see also Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JC&SL 405.
- Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JCSL 405, 426–27.
- See: ICJ, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v US) (Merits)  ICJ Rep 14, para 115; ICJ, Case Concerning the Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgment)  ICJ Rep 43, para 400.
- See Stefan Talmon, ‘The Responsibility of Outside Powers for Acts of Secessionist Entities’ (2009) 58(3) International and Comparative Law Quarterly 493, 503; Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of cyber operations: an international law perspective on the Park Jin Hyok case’ (2020) 9(1) Cambridge International Law Journal 51, 63; See also Marco Roscini, Cyber Operations and the Use of Force in International Law (OUP 2014) 37-38.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 21.
- Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace (26 September 2019) 6.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 71.
- Prosecutor v Tadić (Appeal Judgment) IT-94-1-A (ICTY, 15 July 1999) paras 116 and ff.
- ICRC (ed), Commentary to the First Geneva Gonvention (CUP 2016) para 409; ICRC (ed), Commentary to the Third Geneva Convention (CUP 2021) para 304
- Prosecutor v Prlić et al (Trial Judgment) IT-04-74-T (ICTY, 29 May 2013), para. 86(a); see also Kubo Mačák, ‘Decoding Article 8 of the International Law Commission’s Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JCSL 405, 422.
- Prosecutor v Tadić (Appeal Judgment) IT-94-1-A (ICTY, 15 July 1999) para 132; see also Antonio Cassese, ‘The Nicaragua and Tadić Tests Revisited in Light of the ICJ Judgment on Genocide in Bosnia’ (2007) 18(4) EJIL 649, 657.
- ILC Articles on State Responsibility, Art 9.
- ILC Articles on State Responsibility, Art 10(1).
- ILC Articles on State Responsibility, Art 10(2).
- ILC Articles on State Responsibility, Art 11.
- See further Marco Roscini, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 233; Isabella Brunner, Marija Dobrić and Verena Pirker, ‘Proving a State’s Involvement in a Cyber-Attack: Evidentiary Standards Before the ICJ’ (2015) 25 Finnish Yearbook of International Law 75; Tomohiro Mikanagi and Kubo Mačák, ‘Attribution of Cyber Operations: An International Law Perspective on the Park Jin Hyok case’ (2020) 9 Cambridge International Law Journal 51, 64-68.
- ILC Articles on State Responsibility, commentary to chapter III, para 4 ("Questions of evidence and proof of such a breach fall entirely outside the scope of the articles."); ibid, commentary to Art 19, para 8 ("Just as the articles do not deal with questions of the jurisdiction of courts or tribunals, so they do not deal with issues of evidence or the burden of proof.").
- Tallinn Manual 2.0, Chapter 4 Section 1, para 8.
- UN Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, A/70/174 (22 July 2015) para. 28(f); UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) para 71.(g); Acknowledged by Brazil, Germany, Russia and Switzerland in their national positions.
- SeeTallinn Manual 2.0, Chapter 4 Section 1 chapeau, para 13.
- Government of Canada, International Law applicable in cyberspace (April 2022)
- International law and cyberspace - Finland's national position (2020)
- Ministry of Defense of France, International Law Applied to Operations in Cyberspace (9 September 2019) 11.
- Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 12.
- Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations (8 December 2020)
- Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace (26 September 2019) 6.
- The Application of International Law to State Activity in Cyberspace (1 December 2020) 3.
- Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace (July 2022) 5
- Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 6.
- According to the UK Attorney General, "[t]here is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances." (UK Attorney General, Jeremy Wright QC MP, 'Cyber and International Law in the 21st Century' (23 May 2018); United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement (3 June 2021)
- Brian J Egan, International Law and Stability in Cyberspace (10 November 2016) 19; Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 141.
- See the national positions of Germany and Italy. See also New Zealand’s national position (“sufficient confidence”).
- See The Netherlands’ national position.
- Tallinn Manual 2.0, Chapter 4 Section 1, para 10; Cf. Yeager v Islamic Republic of Iran (1987) 17 Iran-US CTR 92, 101–02 (‘[I]n order to attribute an act to the State, it is necessary to identify with reasonable certainty the actors and their association with the State.’).
- Tallinn Manual 2.0, Chapter 4 Section 1, para 10.
- UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) para 24.
- UN Group of Governmental Experts on Advancing Responsible State Behaviour in Cyberspace in the Context of International Security, A/76/135 (14 July 2021) paras 24 and 27.
- Tallinn Manual 2.0, Chapter 4 Section 1, para 12; see also ILC Articles on State Responsibility, Art 49 para 3 (“A State taking countermeasures acts at its peril, if its view of the question of wrongfulness turns out not to be well founded.”)
- Australian Government, Australia's position on how international law applies to State conduct in cyberspace
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 21.
- Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote , A State may also engage international responsibility if it coerces another state or directs and controls it in the commission of an internationally wrongful act: International Law Commission, Draft Articles on Responsibility of States for Internationally Wrongful Acts (Articles on State Responsibility), with commentaries, (2001) Arts. 17, 18, online: https://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf.
- Government of Canada, International Law applicable in cyberspace, April 2022, See Footnote , Articles on State Responsibility, supra note 21,Art. 8.
- Government of Canada, International Law applicable in cyberspace, April 2022
- President of Estonia: international law applies also in cyber space, 29 May 2019
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 28.
- International law and cyberspace - Finland's national position
- Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 10-11.
- Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 10-12.
- Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations, 8 December 2020.
- Italian position paper on "International law and cyberspace", Italian Ministry for Foreign Affairs and International Cooperation.,5.
- Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 4
- Government of the Kingdom of the Netherlands, Appendix: International law in cyberspace, 26 September 2019 , 6-7.
- The Application of International Law to State Activity in Cyberspace (1 December 2020) 3.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 71.
- The Republic of Poland’s position on the application of international law in cyberspace, Ministry of Foreign Affairs of Poland, 29 December 2022, 6.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 78-79.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 80.
- Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace, July 2022,5
- Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 5-6.
- Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
- United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
- Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022
- Attorney General Suella Braverman: International Law in Future Frontiers, 19 May 2022
- Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 6-7
- Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 8
- Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 17-20.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 141-142.