| The law of State responsibility is largely customary in nature; its codification is provided by the Draft Articles on the Responsibility of States for Internationally Wrongful Acts. While some of the Articles are more controversial, they are generally accepted as reflective of customary law. The law of State responsibility also applies to cyber operations and other cyber activities.
Every internationally wrongful act of a State has two elements: 1) attributability to the State under international law, and 2) breach of an international obligation of the State.Besides these two elements, it is necessary to ascertain whether the act in question involved any 3) circumstances precluding wrongfulness.
"The customary international law on State responsibility, much of which is reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts, applies to State behaviour in cyberspace. Under the law on State responsibility, there will be an internationally wrongful act of a State when its conduct in cyberspace – whether by act or omission – is attributable to it and constitutes a breach of one of its international obligations."
"Brazil agrees with the basic principle according to which “every internationally wrongful act of a State entails the international responsibility of that State”. This is a customary norm that has been confirmed by international tribunals on several occasions and that has been codified by the International Law Commission (ILC). According to customary international law, as codified by the ILC, an internationally wrongful act is an action or omission that is attributable to a state and constitutes a breach of its international obligations. By analogy, if a cyber operation attributable to a state breaches its international obligations, the state is responsible for this internationally wrongful act.
While many norms on state responsibility are generally considered customary international law, as reflected in the articles emanated from the ILC, there are other rules whose legal status is still unclear. The General Assembly took note of the ILC articles on state responsibility for internationally wrongful acts in its Resolution 56/83 of 2001. It has also commended the articles to the attention of governments without prejudice to the question of their future adoption. The ILC articles on state responsibility have been under consideration of the General Assembly for 18 years, and the debates on this issue at its Sixth Committee demonstrate that states have divergent views on their legal status."
"[...] states are responsible for their activities in cyberspace. Sovereignty entails not only rights, but also obligations. States are responsible for their internationally wrongful cyber operations just as they would be responsible for any other activity based on international treaties or customary international law. This is the case whether or not such acts are carried out by state organs or by non-state actors supported or controlled by the state. States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors. If a cyber operation violates international law, this needs to be called out."
|The law of state responsibility is a cornerstone for responsible state behaviour in cyberspace when it comes to assessing the unlawfulness of cyber operations below the threshold of use of force.|
"The law of state responsibility includes key principles that govern when and how a state is held responsible for cyber operations that constitute a breach of international obligation, by either an act or an omission. A cyber operation can constitute an internationally wrongful act if it is attributable under international law and it constitutes a breach of international obligation under the law of state responsibility. States must comply with customary international law mirrored in the Articles for Responsibility of States for Internationally Wrongful Acts.
States are responsible for their activities in cyberspace. States are accountable for their internationally wrongful cyber operations just as they would be responsible for any other activity according to international treaties or customary international law. State responsibility applies regardless of whether such acts are carried out by a state or non-state actors instructed, directed or controlled by a state.
States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors and proxies. For example, if a hacker group launches cyber operations which have been tailored according to instructions from a state, or the cyber operations are directed or controlled by that state, state responsibility can be established."
"In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs."
"The law of State responsibility consists of secondary rules that apply generally in the absence of clear specific rules that modify their effect. As there is no specific regulation concerning State activities in cyberspace that would constitute such lex specialis, it can be concluded that the normal rules of State responsibility apply in cyberspace. When a State’s cyber operation violates its obligations under international law, it constitutes an internationally wrongful act. An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace."
"If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged."
"A cyberattack is deemed to have been instigated by a State if it has been perpetrated by a State organ, a person or entity exercising elements of governmental authority, or a person or group of persons acting on the instructions of, or under the direction or control of that State."
"Internationally wrongful acts committed by a State in cyberspace entail State responsibility. An internationally wrongful act occurs when the conduct of a State consisting of an action or omission violates an obligation prescribed by primary rules of international law. In the case of cyber operations as well, there is an internationally wrongful act when a State violates primary rules, including the principles of sovereignty, non-intervention, prohibition of the use of force, as well as various principles of international humanitarian law such as the principle of prohibition of attacks on civilian objects, and respect for basic human rights."
"Regarding cyber operations as well, a State responsible for an internationally wrongful act is under the following obligations. First, the State shall cease the act if it is continuing. In addition, the State shall offer appropriate assurances and guarantees of non-repetition, if circumstances so require. Besides, the responsible State is under an obligation to make full reparation for the injury caused by the internationally wrongful act."
"Where a state is subject to cyber activity that amounts to an internationally wrongful act, it may also invoke the international legal responsibility of the responsible state. States are responsible for internationally wrongful acts that can be attributed to them, including wrongful cyber activities. An internationally wrongful act can be attributed to a state if it was carried out by organs of the state, persons or entities empowered to exercise elements of governmental authority on behalf of that state, or agents acting on the instructions of, or under the direction or control of the state; or where the state acknowledges and adopts the act as its own. States may also be internationally responsible for aiding or assisting internationally wrongful cyber activity carried out by another state."
|In order for a State to be held internationally responsible for a cyber operation, the operation has to be attributable to the State under international law.
A State may also be held responsible under international law if it possesses knowledge of a cyber operation that is being carried out from its territory and causing serious adverse consequences with respect to a right of the target State under international law, and fails to take reasonably available measures to terminate the cyber operation.
"The general rules on State responsibility under international law apply to cyber operations just as they apply to other activities.
In order for a State to be held responsible for a cyber operation under international law, it is a condition that the cyber operation is attributable to the State under international law. Both State and non-State actors conduct cyber operations. Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory."
"There is an internationally wrongful act of a State when conduct consisting of an action or omission is:
- attributable to the State under international law; and
- constitutes a breach of an international obligation of the State
Therefore, from the perspective of state responsibility under international law, attribution is one of the components.
"The customary international rules on state responsibility are largely reflected in the draft articles issued by International Law Commission. They are also applicable to cyber incidents. They provide that any state action in violation of international law shall entail the international responsibility of that state, upon which a claim for full reparation may be made. This only applies if the action can be legally attributed to the state and is deemed to constitute an internationally wrongful act, i.e. in violation of international law."
"There are obviously practical difficulties involved in making any attributions of responsibilities when the action concerned is capable of crossing traditional territorial boundaries and sophisticated techniques are used to hide the identity and source of the operation. Those difficulties are compounded by the ready accessibility of cyber technologies and the resultant blurring of lines between the actions of governments and those of individuals.
The international law rules on the attribution of conduct to a state are clear, set out in the International Law Commissions Articles on State Responsibility, and require a state to bear responsibility in international law for its internationally wrongful acts, and also for the acts of individuals acting under its instruction, direction or control.
These principles must be adapted and applied to a densely technical world of electronic signatures, hard to trace networks and the dark web. They must be applied to situations in which the actions of states are masked, often deliberately, by the involvement of non-state actors. And international law is clear - states cannot escape accountability under the law simply by the involvement of such proxy actors acting under their direction and control."
"A State is responsible under international law for cyber activities that are attributable to it in accordance with the rules on State responsibility. The responsibility of a State for activities that occur on its territory including in relation to activities in cyberspace is therefore determined in accordance with the rules of international law on State responsibility. As well as bearing responsibility for acts of its organs and agents, a State is also responsible in accordance with international law where, for example, a person or a group of persons acts on its instructions or under its direction or control."
"States are legally responsible for activities undertaken through “proxy actors,” who act on the state’s instructions or under its direction or control. The ability to mask one’s identity and geography in cyberspace and the resulting difficulties of timely, high-confidence attribution can create significant challenges for states in identifying, evaluating, and accurately responding to threats. But putting attribution problems aside for a moment, established international law does address the question of proxy actors. States are legally responsible for activities undertaken through putatively private actors, who act on the state’s instructions or under its direction or control. If a state exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the state assumes responsibility for the act, just as if official agents of the state itself had committed it. These rules are designed to ensure that states cannot hide behind putatively private actors to engage in conduct that is internationally wrongful."
"From a legal perspective, the customary international law of state responsibility supplies the standards for attributing acts, including cyber acts, to States. For example, cyber operations conducted by organs of a State or by persons or entities empowered by domestic law to exercise governmental authority are attributable to that State, if such organs, persons, or entities are acting in that capacity.
Additionally, cyber operations conducted by non-State actors are attributable to a State under the law of state responsibility when such actors engage in operations pursuant to the State’s instructions or under the State’s direction or control, or when the State later acknowledges and adopts the operations as its own.
Thus, as a legal matter, States cannot escape responsibility for internationally wrongful cyber acts by perpetrating them through proxies. When there is information — whether obtained through technical means or all-source intelligence — that permits a cyber act engaged in by a non-State actor to be attributed legally to a State under one of the standards set forth in the law of state responsibility, the victim State has all of the rights and remedies against the responsible State allowed under international law.
The law of state responsibility does not set forth explicit burdens or standards of proof for making a determination about legal attribution. In this context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State. Absolute certainty is not—and cannot be—required. Instead, international law generally requires that States act reasonably under the circumstances when they gather information and draw conclusions based on that information.
I also want to note that, despite the suggestion by some States to the contrary, there is no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action. There may, of course, be political pressure to do so, and States may choose to reveal such evidence to convince other States to join them in condemnation, for example. But that is a policy choice—it is not compelled by international law."
Notes and references
- James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 1.
- Draft Articles on the Responsibility of States for Internationally Wrongful Acts, prepared by the International Law Commission and approved by the General Assembly resolution 56/83 of 12 December 2001.
- James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 65.
- UN GGE 2015 'Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security report' (22 July 2015) UN Doc A/70/174, para 28(f); Tallinn Manual 2.0, commentary to rule 14, para 1. See also, e.g., Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated) (‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’); Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 1 (‘Any violation of [obligations under international law that apply to states in cyberspace] that is attributable to a state constitutes an internationally wrongful act, unless there is a ground for precluding the wrongfulness of an act recognised in international law’); United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017) (‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime’).
- Articles on State Responsibility, Art 2.
- Articles on State Responsibility, Arts 20-26.
- Australian Government, Australia's position on how international law applies to State conduct in cyberspace
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 20-21.
- President of Estonia: international law applies also in cyber space, 29 May 2019
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 27-28.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 28.
- International law and cyberspace - Finland's national position
- Ministry of Defense of France, International Law Applied to Operations in Cyberspace, 9 September 2019, 10.
- Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 3-4
- Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations, 16 June 2021, 4
- The Application of International Law to State Activity in Cyberspace, 1 December 2020, 3.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 70.
- Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136, August 2021, 78.
- Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 5.
- Attorney General Jeremy Wright:Cyber and International Law in the 21st Century, 23 May 2018
- United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement, 3 June 2021
- Harold Hongju Koh, International Law in Cyberspace, 18 September 2012, 6-7
- Brian J. Egan, International Law and Stability in Cyberspace, 10 November 2016 17-20.