Scenario 02: Cyber espionage against government departments: Difference between revisions

Definition

State responsibility

Responsibility of States for internationally wrongful acts is a well-established concept in international law, resulting from the fact that each State has a legal personality and can bear legal obligations.[3] The law of State responsibility is largely customary in nature; its codification is provided by the International Law Commission's Articles on State Responsibility.[4] While some of the Articles are more controversial, they are generally accepted as reflective of customary law.[5] The law of State responsibility also applies to cyber operations and other cyber activities.[6] Every internationally wrongful act of a State – entailing both acts and omissions –, has two elements: 1) attributability to the State under international law, and 2) breach of an international obligation of the State.[7]Besides these two elements, it is necessary to ascertain whether the act in question involved any 3) circumstances precluding wrongfulness.[8] An internationally wrongful act entails the State’s international responsibility and gives rise to legal consequences, including the obligation to cease the conduct (if applicable) and the obligation to make full reparation for the injury caused.[9] Publicly available national positions that address this issue include: (2024), (2020), (2024), (2021), (2022), (2023), (2024), (2023), (2019), (2021), (2020), (2021), (2021), (2020), (2021), (2022), (2021), (2021), (2022), (2021), (2018), (2021), (2022), (2021).

National positions

African Union (2024)

"61. Subject to the emergence of specific rules of attribution, the African Union affirms that the customary rules on State responsibility, as reflected in the ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts provide the applicable rules of the attribution to States of conduct undertaken through ICTs in cyberspace.

62. The African Union is of the view that, in conformity with the relevant rules of international law, the burden to substantiate a claim that a State has committed an internationally wrongful act through ICTs in cyberspace is on the State making such a claim. The African Union also underscores the importance of cooperation, including between national authorities, such as Computer Emergency Response Teams (CERTs)/Computer Security Incident Response Teams (CSIRTs), to detect, investigate, prevent, and halt internationally wrongful acts undertaken through ICTs in cyberspace.

63. The African Union underscores that responses to internationally wrongful acts committed through ICTs in cyberspace should be in accordance with its obligations under the UN Charter, especially the obligations relating to the peaceful settlement of disputes, and the other applicable rules of international law, including the obligation to respect the territorial sovereignty of States."^[10]

Australia (2020)

"The customary international law on State responsibility, much of which is reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts, applies to State behaviour in cyberspace. Under the law on State responsibility, there will be an internationally wrongful act of a State when its conduct in cyberspace – whether by act or omission – is attributable to it and constitutes a breach of one of its international obligations."^[11]

Austria (2024)

"The customary international law rules of state responsibility, largely codified in the International Law Commission’s Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA), apply to cyber activities that are attributable to states. According to the law of state responsibility, every internationally wrongful act – i.e. an act or omission that is attributable to a state under international law and constitutes a breach of an international obligation of the state – entails the international responsibility of that state (cf. Art. 1 and 2 ARSIWA).

A cyber activity is attributable to a state if it is conducted by a de jure or de facto state organ, a person or entity exercising elements of governmental authority, an organ placed at the disposal of a state by another state, or by a non-state actor acting on the instructions of, or under the direction or effective control of a state (Art. 4, 5, 6 and 8 ARSIWA). Ultra vires acts by state organs are generally also attributable to the state, as well as conduct which was acknowledged and adopted by a state as its own (Art. 7 and 11 ARSIWA).

The responsible state must cease a continuing act or offer assurances and guarantees of nonrepetition under certain circumstances, as well as make full reparation for the injury caused by the wrongful act (Art. 30 and 31 ARSIWA).

The wrongfulness of a cyber activity may, under some circumstances, be precluded if it was taken in self-defence, or by way of a non-forcible countermeasure, or in situations of force majeure, distress or necessity (Art. 21 to 25 ARSIWA). A state may also respond with lawful retorsions, which themselves are unfriendly, but lawful acts."^[13]

Brazil (2021)

"Brazil agrees with the basic principle according to which “every internationally wrongful act of a State entails the international responsibility of that State”. This is a customary norm that has been confirmed by international tribunals on several occasions and that has been codified by the International Law Commission (ILC). According to customary international law, as codified by the ILC, an internationally wrongful act is an action or omission that is attributable to a state and constitutes a breach of its international obligations. By analogy, if a cyber operation attributable to a state breaches its international obligations, the state is responsible for this internationally wrongful act.

While many norms on state responsibility are generally considered customary international law, as reflected in the articles emanated from the ILC, there are other rules whose legal status is still unclear. The General Assembly took note of the ILC articles on state responsibility for internationally wrongful acts in its Resolution 56/83 of 2001. It has also commended the articles to the attention of governments without prejudice to the question of their future adoption. The ILC articles on state responsibility have been under consideration of the General Assembly for 18 years, and the debates on this issue at its Sixth Committee demonstrate that states have divergent views on their legal status."^[14]

Canada (2022)

"28. The international law of State responsibility applies across the whole spectrum of substantive areas of international law, including in cyberspace. It governs such issues as the attribution of internationally wrongful acts to States. It also addresses circumstances precluding wrongfulness, including countermeasures, and possible remedies. The law of State responsibility is not concerned with the legality of the use of force, including in self-defence, which is a separate area of international law.

29. In Canada’s view, this well-established body of international law is not only applicable, but highly relevant in relation to contemporary cyber activities. To date, all publicly known malicious cyber activities have been widely interpreted by States as falling below the threshold (or thresholds) of the threat or use of force or armed attacks."^[15]

"30. An internationally wrongful act in the cyber context is a cyber-related action or omission that: constitutes a breach of an international legal obligation, whether to another State or the entire international community; and is attributable to a State under international law.

31. International law recognises exceptions to what would otherwise be internationally wrongful acts. Examples include cases of self-defence and countermeasures."^[16]

Costa Rica (2023)

"10. Costa Rica believes that, under customary international law, as codified in Articles 1 and 2 of the International Law Commission (ILC)’s Articles on Responsibility of States for Internationally Wrongful Acts (‘the ILC Articles’), cyber operations may amount to internationally wrongful acts engaging the responsibility of a State when they can be attributed to it and involve a breach of its international obligation(s)."^[17]

Czech Republic (2024)

"52. The customary international law on State responsibility, as reflected in the International Law Commission's Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA), applies to State behaviour in cyberspace.

53. An internationally wrongful act is an act or omission that constitutes a breach of an international obligation of a State and is attributable to it under international law."^[18]

Denmark (2023)

"Denmark is of the view that the general rules of State responsibility apply in cyberspace. A State bears international responsibility if it breaches an international obligation owed to another State. A State may be responsible under international law for acts undertaken by an organ of the State or by actors exercising government authority on behalf of that State. Acts by a non-State actor may be attributable to a State where the non-State actor carries out a cyber operation under the instruction of, or under the direction or control of that State, or where the State actor acknowledges and adopts the operations carried out by the non-State actor as its own.

Each State may decide whether to publicly attribute cyber acts to other States or not. There is no obligation under international law for States to share documentation or other evidence supporting an attribution. The application of international law and State responsibility does not depend on public attribution."^[19]

Estonia (2019)

"[...] states are responsible for their activities in cyberspace. Sovereignty entails not only rights, but also obligations. States are responsible for their internationally wrongful cyber operations just as they would be responsible for any other activity based on international treaties or customary international law. This is the case whether or not such acts are carried out by state organs or by non-state actors supported or controlled by the state. States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors. If a cyber operation violates international law, this needs to be called out."^[20]

Estonia (2021)

"The law of state responsibility includes key principles that govern when and how a state is held responsible for cyber operations that constitute a breach of international obligation, by either an act or an omission. A cyber operation can constitute an internationally wrongful act if it is attributable under international law and it constitutes a breach of international obligation under the law of state responsibility. States must comply with customary international law mirrored in the Articles for Responsibility of States for Internationally Wrongful Acts.

States are responsible for their activities in cyberspace. States are accountable for their internationally wrongful cyber operations just as they would be responsible for any other activity according to international treaties or customary international law. State responsibility applies regardless of whether such acts are carried out by a state or non-state actors instructed, directed or controlled by a state.

States cannot waive their responsibility by carrying out malicious cyber operations via non-state actors and proxies. For example, if a hacker group launches cyber operations which have been tailored according to instructions from a state, or the cyber operations are directed or controlled by that state, state responsibility can be established."^[21]

"In order to enforce state responsibility, states maintain all rights to respond to malicious cyber operations in accordance with international law. If a cyber operation is unfriendly or violates international law obligations, injured states have the right to take measures such as retorsions, countermeasures or, in case of an armed attack, the right to self-defence. These measures can be either individual or collective. The main aim of reactive measures in response to a malicious cyber operation is to ensure responsible state behaviour in cyberspace and the peaceful use of ICTs."

[...]

"According to Article 2(a) of ARSIWA, an internationally wrongful act of a state has taken place when the conduct consisting of an action or omission is attributable to a state and the action or omission is wrongful under international law."^[22]

Finland (2020)

"The law of State responsibility consists of secondary rules that apply generally in the absence of clear specific rules that modify their effect. As there is no specific regulation concerning State activities in cyberspace that would constitute such lex specialis, it can be concluded that the normal rules of State responsibility apply in cyberspace. When a State’s cyber operation violates its obligations under international law, it constitutes an internationally wrongful act. An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged."^[23]

Italy (2021)

"Italy concurs with the view that attribution of cyber wrongful acts from one State to another is governed by the general rules of international law on the attribution of State conduct as codified by the International Law Commission (ILC) Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA). Still, Italy acknowledges the difficulties of applying the ARSIWA in a peculiar environment such as cyberspace."^[24]

Japan (2021)

"Internationally wrongful acts committed by a State in cyberspace entail State responsibility. An internationally wrongful act occurs when the conduct of a State consisting of an action or omission violates an obligation prescribed by primary rules of international law. In the case of cyber operations as well, there is an internationally wrongful act when a State violates primary rules, including the principles of sovereignty, non-intervention, prohibition of the use of force, as well as various principles of international humanitarian law such as the principle of prohibition of attacks on civilian objects, and respect for basic human rights."^[25]

"Regarding cyber operations as well, a State responsible for an internationally wrongful act is under the following obligations. First, the State shall cease the act if it is continuing. In addition, the State shall offer appropriate assurances and guarantees of non-repetition, if circumstances so require. Besides, the responsible State is under an obligation to make full reparation for the injury caused by the internationally wrongful act."

[...]

"There is an internationally wrongful act of a State when the act is attributable to the State under international law and when the act constitutes a breach of an obligation of the State under international law."^[26]

New Zealand (2020)

"Where a state is subject to cyber activity that amounts to an internationally wrongful act, it may also invoke the international legal responsibility of the responsible state. States are responsible for internationally wrongful acts that can be attributed to them, including wrongful cyber activities."^[27]

Norway (2021)

"The general rules on State responsibility under international law apply to cyber operations just as they apply to other activities.

In order for a State to be held responsible for a cyber operation under international law, it is a condition that the cyber operation is attributable to the State under international law. Both State and non-State actors conduct cyber operations. Even if a cyber operation is not conducted by someone acting directly or indirectly on behalf of a State, the State may nevertheless be held responsible under international law if it fails to take adequate measures against cyber operations that target third States from or via its territory."^[28]

Poland (2022)

"Norms of customary international law concerning the assignment of responsibility to a state are reflected to a large extent in the articles covering the states’ responsibility for internationally wrongful acts as adopted in 2001 by the International Law Commission (hereinafter referred to as “Articles on the Responsibility of States”)."^[29]

Romania (2021)

"There is an internationally wrongful act of a State when conduct consisting of an action or omission is:

• attributable to the State under international law; and
• constitutes a breach of an international obligation of the State

Therefore, from the perspective of state responsibility under international law, attribution is one of the components".^[30]

[...]

"Once attributed to a State and determined that the conduct constitutes a breach of an international obligation (the 2nd component), the international responsibility of that State is entailed and can be invoked by the injured State either individually (if the obligation breached is owed to that State or if that State was otherwise affected by the conduct) or collectively with other States if the obligation breached was owed to a group of States (including that State) or to the international community as a whole; the invocation of the responsibility of a State is a matter of political choice; however, the responsibility of a State for an international wrongful act is an objective circumstance from the legal standpoint, which exists independent of its invocation by the injured State(s); nevertheless, under draft articles of State responsibility there is a certain procedure to be followed by the injured State invoking the responsibility of another State (therefore a pubic invocation may not suffice)."^[31]

Russia (2021)

"The possibility of attributing responsibility for particular actions in information space to States demands further study on the basis of the existing international law. The international responsibility of a State is conditioned to the commission of an internationally wrongful act by this State. According to the Articles on Responsibility of States for Internationally Wrongful Acts (elaborated by the UN International Law Commission in 2001, taken note in the UNGA resolution A/RES/56/83), there is an internationally wrongful act of a State when conduct consisting of an action or omission: 1) is attributable to the State under international law; 2) constitutes a breach of an international legal obligation of the State. The characterization of an act of a State as internationally wrongful is governed by international law. Such characterization is not affected by the characterization of the same act as lawful by internal law (article 3)."^[32]

[...]

"Under customary international law, a State is responsible for activities of its institutions, as well as that of individuals acting under its control. In information space it may be difficult to determine whether an individual is acting under control of a State or with its acquiescence. In this regard, it becomes increasingly relevant to formalize the norm of the 2015 GGE report stating that all accusations of organizing and implementing wrongful acts brought against States should be substantiated, as legally binding. In any case, one should refrain from publicly imposing responsibility for an incident in information space on a particular State without supplying necessary technical evidence."^[33]

Sweden (2022)

"An internationally wrongful act by a State entails the responsibility of that State under international law. The articles on State responsibility drafted by the International Law Commission constitute secondary norms of international law, identifying conditions when a State is internationally responsible for wrongful acts and the effects thereof. The general norms on State responsibility apply also in relation to wrongful acts in the cyber context.

Technical difficulties pose new challenges in identifying those responsible for cyber operations, compared with kinetic operations, but the rules on attribution under the law of State responsibility also apply in a cyber context."^[34]

Switzerland (2021)

"The customary international rules on state responsibility are largely reflected in the draft articles issued by International Law Commission. They are also applicable to cyber incidents. They provide that any state action in violation of international law shall entail the international responsibility of that state, upon which a claim for full reparation may be made. This only applies if the action can be legally attributed to the state and is deemed to constitute an internationally wrongful act, i.e. in violation of international law."^[35]

United Kingdom (2018)

"There are obviously practical difficulties involved in making any attributions of responsibilities when the action concerned is capable of crossing traditional territorial boundaries and sophisticated techniques are used to hide the identity and source of the operation. Those difficulties are compounded by the ready accessibility of cyber technologies and the resultant blurring of lines between the actions of governments and those of individuals.

The international law rules on the attribution of conduct to a state are clear, set out in the International Law Commissions Articles on State Responsibility, and require a state to bear responsibility in international law for its internationally wrongful acts, and also for the acts of individuals acting under its instruction, direction or control."^[36]

United Kingdom (2021)

"A State is responsible under international law for cyber activities that are attributable to it in accordance with the rules on State responsibility. The responsibility of a State for activities that occur on its territory including in relation to activities in cyberspace is therefore determined in accordance with the rules of international law on State responsibility."^[37]

United Kingdom (2022)

"I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation."^[38]

United States (2021)

"Both the 2013 and 2015 GGE reports concluded that States must meet their international obligations regarding internationally wrongful acts attributable to them under international law. In addition, they must not use proxies to commit internationally wrongful acts using ICTs.

Under the law of State responsibility, a State is responsible for an internationally wrongful act when there is an act or omission that is attributable to it under international law that constitutes a breach of an international obligation of the State. Cyber activities may therefore constitute internationally wrongful acts under the law of State responsibility if they are inconsistent with an international obligation of the State and are attributable to it."^[39]

Appendixes

See also

Notes and references

Bibliography and further reading

Legal attribution is one of the constitutive elements of an international wrongful act, and consists of the attachment “of a given action or omission to a State”.^[1]

Many States, including Australia,^[2] Estonia,^[3] France,^[4] Germany,^[5] Italy^[6] and Switzerland^[7] have affirmed that there is no legal obligation to make or publicize decisions on attribution, but rather the act of attributing a cyber operation under international law is a national prerogative at the discretion of each State.

As a rule, the conduct of State organs is attributable to the State in question;^[8] by contrast, the conduct of non-State actors or third States’ organs can only be attributed to the State under specific circumstances.^[9]

State organs and persons and entities in exercise of governmental authority

State organs and persons and entities in exercise of governmental authority

The following types of conduct of State organs and persons and entities in exercise of governmental authority are attributable to a State: The conduct of any of the organs of that State, "whether the organ exercises legislative, executive, judicial or any other functions, whatever position it holds in the organization of the State, and whatever its character as an organ of the central Government or of a territorial unit of the State";[10] The conduct of "a person or entity which is not an organ of the State […] but which is empowered by the law of that State to exercise elements of the governmental authority, […] provided the person or entity is acting in that capacity in the particular instance";[11] The conduct of an organ of another State placed at the disposal of the State in question, if "the organ is acting in the exercise of elements of the governmental authority" of the latter State.[12] Such conduct is attributable to the State even if the organ, person or entity acting in that capacity "exceeds its authority or contravenes instructions" (acts ultra vires).[13]

Non-State actors

Non-State actors

Activities of non-State actors (groups and individuals) are generally not attributable to States. However, such conduct can be attributable to a State in particular if the actor is: "in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct";[14] Each of the three criteria entails a form of subordination between the non-State actor and the potentially responsible State.[15] Regarding the criterion of control, there is a debate on the degree of control required for the attribution of the conduct to the State, as different tests have been developed. On the one hand, the ICJ has affirmed that the exercise of “effective control” is necessary,[16] which entails that the State is able to control the beginning of the relevant operations, the way they are carried out, and their end.[17] This position has been expressly followed by some States in the realm of cyber operations, including Brazil,[18] the Netherlands[19] and Norway.[20] On the other hand, a less restrictive approach has been developed by the ICTY,[21] and followed by the ICRC,[22] under the “overall control” test, which requires the State in question (i) to provide the non-State entity with financial and training assistance, military equipment and/or operational support, and (ii) to participate in the organization, co-ordination or planning of operations of the entity in question.[23] Nevertheless, the proponents of this test limit it to organized groups, meaning that the effective control test remains applicable for the conduct of private individuals, or unorganized groups.[24] "in fact exercising elements of the governmental authority in the absence or default of the official authorities and in circumstances such as to call for the exercise of those elements of authority";[25] "an insurrectional movement which becomes the new Government of a State";[26] or "a movement, insurrectional or other, which succeeds in establishing a new State in part of the territory of a pre-existing State or in a territory under its administration".[27] Additionally, the conduct of a non-State actor is attributable to a State "if and to the extent that the State acknowledges and adopts the conduct in question as its own".[28]

Evidentiary standards

Evidentiary standards

Evidentiary standards applicable to the attribution of cyber activities are context-dependent.[29] The law of State responsibility as such does not contain generally applicable burdens, standards, or methods of proof,[30] and these matters are instead ordinarily determined by the relevant forum.[31] It is generally understood that any allegation that a wrongful act has been committed by another State should be substantiated.[32] Nevertheless, there is no obligation under international law to publicly provide the evidence on which an attribution is based.[33] This has been reaffirmed by many States in their national positions, including Canada,[34] Finland,[35] France,[36] Germany,[37] Israel,[38] the Netherlands,[39] New Zealand,[40] Sweden,[41] Switzerland,[42] the United Kingdom[43] and the United States.[44] Some States have additionally affirmed that a “sufficient level of confidence”,[45] or “sufficient certainty”[46] must be reached before making a decision on attribution. In case a State is considering a response to an internationally wrongful act, the standard of attribution is that of "reasonableness", i.e. "States must act as reasonable States would in the same or similar circumstances when considering responses to them."[47] This depends, among other factors, on the "reliability, quantum, directness, nature (e.g., technical data, human intelligence), and specificity of the relevant available information when considered in light of the attendant circumstances and the importance of the right involved."[48] The scope, scale, and impact of the incident have also been stressed as aspects that should be considered to support the assessment.[49] The utility of cooperation at the regional and international levels for attribution purposes has also been highlighted.[50] Specific rules may apply to some responses, so when one State responds with countermeasures after misattributing an internationally wrongful act to another State, it commits an internationally wrongful act of its own, even though it correctly applied the "reasonableness" standard of attribution.[51]

National positions

African Union (2024)

"61. Subject to the emergence of specific rules of attribution, the African Union affirms that the customary rules on State responsibility, as reflected in the ILC Draft Articles on the Responsibility of States for Internationally Wrongful Acts provide the applicable rules of the attribution to States of conduct undertaken through ICTs in cyberspace."^[52]

Australia (2020)

"Australia will, in its sole discretion, and based on its own judgement, attribute unlawful cyber activities to another State. In making such decisions, Australia relies on the assessments of its law enforcement and intelligence agencies, and consultations with its international partners. A cyber activity will be attributable to a State under international law where, for example, the activity was conducted by an organ of the State; by persons or entities exercising elements of governmental authority; or by non-State actors operating under the direction or control of the State."^[53]

Brazil (2021)

"States and international courts have consistently recognized some of the ILC articles on state responsibility as customary international law, such as the rules for attribution. In the absence of any lex specialis for cyberspace, the customary norms concerning the attribution of conduct to a State are also applicable to the State’s use of ICTs. Hence, cyber operations are attributable to a State if they are conducted by a State organ, by persons or entities exercising elements of governmental authority, or by persons or groups “acting on the instructions of, or under the direction or control of,” the State. Regarding the latter criteria, for a private person or entity’s conduct be attributable to a State, it has to be proved that the state had “effective control” over the operations. It is clear, therefore, that a connection “must exist between the conduct of a [state] and its international responsibility.”

The technical difficulties in tracing cyber operations and in determining its authorship may lead to additional challenges in attributing an internationally wrongful act to a State. However, these added difficulties must not serve as a justification to lower the bar for determinations on attribution, which must be substantiated."^[54]

Canada (2022)

"32. Canada applies the customary international law on State responsibility to attribute wrongful conduct in cyberspace. Under the law of State responsibility, an important element is that of attribution, which involves the identification of a State as legally responsible for an internationally wrongful act. A State can be responsible directly, or indirectly where a non-State actor has acted on the instructions of, or under the direction or control of, that State.^[55] In this respect, States cannot escape legal responsibility for internationally wrongful cyber acts by perpetrating them through non-state actors who act on a State’s instruction or under its direction or control.^[56]

33. Attribution in its legal sense is of course distinct from the technical identification (or technical attribution) of the actor responsible for malicious cyber activity, whether State or non-State, as well as from the public denunciation of the responsible actor (political attribution). Further, Canada believes that the public attribution of internationally wrongful acts engages various political considerations beyond technical and legal attribution. To this end, States bear no obligation to publicly provide the basis upon which an attribution is made."^[57]

Costa Rica (2023)

"11. In Costa Rica’s view, the existing customary thresholds for legal attribution of conduct to States continue to apply in cyberspace. Thus, cyber operations can only be attributed to a State when they are carried out by, inter alia, i) State organs, including persons or groups under complete dependence on the State, ii) persons or entities empowered by law to exercise elements of governmental authority, including organs placed at the disposal of States by other States, iii) persons or groups acting on the instructions or under the direction or control of the State, and iv) conduct acknowledged and adopted by the State as its own.

12. Legal attribution must be distinguished from the processes of technical and political attribution. Technical attribution comprises a factual investigation into the source of a cyber operation. This often requires technical expertise and is fraught with challenges given cyberspace’s decentralized nature and the widespread use of spoofing techniques and ‘false flags’. Political attribution is the discretionary decision of a State to single out a certain entity, whether a State or a non-State actor, as the author of a certain cyber operation. While international law neither imposes a specific evidentiary threshold for legal attribution nor requires the publication of any evidence for this purpose, States should consider all relevant information when legally attributing cyber operations to another State, publicly or not".^[58]

Czech Republic (2024)

"54. The Czech Republic recognises the right of a State to attribute a cyber activity, either individually or collectively, in compliance with international law. A decision to attribute a cyber activity is a national prerogative and remains at the discretion of a sovereign State.

55. General international rules of attribution as reflected in ARSIWA are also applicable to cyberspace. A cyber operation is deemed an internationally wrongful act when it is attributable to a State under international law and constitutes a breach of an international obligation of the State. A cyber activity is attributable to a State if perpetrated by organs of States, or persons or entities exercising elements of governmental authority and acting in that capacity in the particular instance, or organs placed at the disposal of a State by another State. Furthermore, States are responsible for international wrongful acts conducted by cyber means and perpetrated by non- state actors if such an actor in fact acts on the instruction of, or under the direction or control of that State in carrying out the conduct in question.

56. Attribution is linked to the availability of information. It requires establishing the facts of the activity in question and the identity of the actors responsible for the purposes of attribution. Cooperation with relevant institutions to gather all available information, information sharing, consultations and coordination at national and international level can be required. Attribution is based not only on gathering relevant technical information but also on the assessment of a political and security context of a cyber activity, its nature, extent, and consequences. The ascertainment of the State of origin of a cyber activity is not in itself a determining factor and cannot stand as an argument alone.

57. Although States are not required to be absolutely certain to attribute a wrongful act, but rather to gather and reasonably assess the information available, a sufficient degree of certainty on attribution of a wrongful act to a particular State needs to be reached.

58. States are not obliged to disclose evidence in order to publicly attribute a cyber activity. The disclosure of evidence may be relevant when a legal proceeding is initiated (e.g., before the International Court of Justice)."^[59]

Estonia (2019)

"[...] states have the right to attribute cyber operations both individually and collectively according to international law. Our ability and readiness to effectively cooperate among allies and partners in exchanging information and attributing malicious cyber activities has improved. The opportunities for malicious actors to walk away from their harmful actions with plausible deniability are clearly shrinking. Last year demonstrated that states are able to attribute harmful cyber operations both individually or in a coordinated manner. It is not something unachievable and endlessly complex. At the end of the day what is required from the attributing state, is not absolute certainty but what is reasonable. When assessing malicious cyber operations we can consider technical information, political context, established behavioural patterns and other relevant indicators."^[60]

Estonia (2021)

"Attribution remains a national political decision based on technical and legal considerations regarding a certain cyber incident or operation. Attribution will be conducted on a case-by-case basis, and various sources as well as the wider political, security and economic context can be considered.

According to Article 2(a) of ARSIWA, an internationally wrongful act of a state has taken place when the conduct consisting of an action or omission is attributable to a state and the action or omission is wrongful under international law. Attribution allows establishing if a malicious cyber operation is linked with a state in order to invoke the responsibility of that state.

A state as a subject of international law can exercise its rights and obligations through its organs and in some instances by natural and legal persons. The attribution of an internationally wrongful act, including an internationally wrongful cyber operation, requires careful assessment of whether and how malicious activity conducted by a person, a group of persons or legal persons can be considered as the act of a state. In principle, both acts and omissions are attributable to states.

Attribution is closely related to the availability of information of the malicious cyber operation. Following the various necessary assessments, public statements on attribution can be made, with the aim of increasing accountability in cyberspace and emphasising the importance of adhering to international law obligations and norms of responsible state behaviour."^[61]

Finland (2020)

"An internationally wrongful act of a State entails its international responsibility and gives rise to an obligation to make full reparation for the damage that may be caused by the act. This requires that the act is attributable to the State. The rules of attribution reflected in the UN International Law Commission’s Articles on State Responsibility remain fully valid in cyberspace. If State organs, or private groups or individuals acting on behalf of the State, can be identified as the authors of a cyber operation that violates the State’s international obligations, its international responsibility is engaged. It is in this regard useful to distinguish identification as a technical operation from attribution as a legal operation. Identification may be technically challenging given the often covert nature of hostile cyber activities but this is without consequence to the legal rules of attribution."

"Public attribution, as a sovereign choice, is primarily a question of political consideration. Public attribution may nevertheless have legal effects to the extent it includes determinations of conduct that constitutes an internationally wrongful act."^[62]

France (2019)

"The attribution of a cyberattack having its origin in another State is a national political decision. When a cyberattack is detected, France takes the necessary steps to categorise it, which may include neutralising its effects.

Identification of the instigator is based mainly, though not solely, on technical information gathered during investigations of the cyberattack, especially identification of the attack and transit infrastructure for the cyberoperation and its location, identification of the adversary methods of operation (AMO), the overall chronology of the perpetrator’s activities, the scale and gravity of the incident and the compromised perimeter, or the effects sought by the attacker. This information can help to determine whether or not a link exists between the instigators and a State.

A cyberattack is deemed to have been instigated by a State if it has been perpetrated by a State organ, a person or entity exercising elements of governmental authority, or a person or group of persons acting on the instructions of, or under the direction or control of that State.

The identification of a State as being responsible for a cyberattack that is an internationally unlawful act does not in any way oblige the victim State to make a public attribution. Such attribution is a discretionary choice made, inter alia, according to the nature and origin of the operation, the specific circumstances and the international context. It is a sovereign decision insofar as France reserves the right to attribute publicly, or not, a cyberattack against it and to bring that information to the attention of its population, other States or the international community. This policy does not rule out close coordination with France’s allies and partner States, including international or regional organisations, in particular the European Union (EU) and the North Atlantic Treaty Organisation (NATO). However, while the decision may go as far as collective attribution of a cyberattack, it lies solely with France. In addition, international law does not require States to provide the evidence on which the public attribution of a cyberattack is based, though such information helps to legitimise the validity of such attribution. In all events, a decision not to publicly attribute a cyberattack is not a final barrier to the application of international law, and in particular to assertion of the right of response available to States.

The capabilities of the Armed Forces Ministry contribute to the process of characterising cyber-attacks against the French State. The public attribution of a cyberattack against France is a national political decision. Although this power may be exercised in coordination with other States or international organisations, it is prima facie a sovereign prerogative."^[63]

Germany (2021)

"Attributing a cyber incident is of critical importance as a part of holding States responsible for wrongful behaviour and for documenting norm violations in cyberspace. It is also a prerequisite for certain types of responsive action. As regards the attribution of certain acts to States under international law, Germany applies the relevant customary law rules on State responsibility also to acts in cyberspace, subject to any lex specialis provisions. Inter alia, cyber operations conducted by State organs are attributable to the State in question. The same applies with regard to persons or entities which are empowered by the law of a State to exercise elements of the governmental authority and act in that capacity in the particular instance. Attribution is not excluded because such organ, person or entity acting in an official capacity exceeds its authority or contravenes instructions – cyber operations conducted ultra vires are likewise attributable to the State in question. This applies a maiore ad minus when only parts of an operation are ultra vires.

[...]

Moreover, cyber operations conducted by non-State actors which act on the instructions of, or under the direction or control of, a State are attributable to that State. The same principles apply as in the physical world: if a State recurs to private actors in order to commit an unlawful deed, the actions by the private actor will regularly be attributable to the State. States should recognize that they are accountable for the actions of proxies acting under their control. The State must have control over a specific cyber operation or set of cyber operations conducted by the non-State actor. While a sufficient degree or intensity of such control is necessary, the State is not required to have detailed insight into or influence over all particulars, especially those of a technical nature, of the cyber operation. A comprehensive assessment of the circumstances of the individual case will be necessary to establish an attributive link.

[...]

The application of the international rules on State responsibility and hence the act of formally attributing a malicious cyber operation to a State under international law is first and foremost a national prerogative; however, international cooperation and exchange of information with partners in this regard can be of vital importance. In practice, establishing the facts upon which a decision on attribution may be based is of specific concern in the context of cyber operations since the author of a malicious cyber operation may be more difficult to trace than that of a kinetic operation. At the same time, a sufficient level of confidence for an attribution of wrongful acts needs to be reached. Gathering relevant information about the incident or campaign in question has a technical dimension and may involve processes of data forensics, open sources research, human intelligence and reliance upon other sources – including, where applicable, information and assessments by independent and credible non-state actors. Generating the necessary contextual knowledge, assessing a suspected actor’s motivation for conducting malicious cyber operations and weighing the plausibility of alternative explanations regarding the authorship of a certain malicious cyber act will likewise be part of the process. All relevant information should be considered.

Germany agrees that there is no general obligation under international law as it currently stands to publicize a decision on attribution and to provide or to submit for public scrutiny detailed evidence on which an attribution is based. This generally applies also if response measures are taken. Any such publication in a particular case is generally based on political considerations and does not create legal obligations for the State under international law. Also, it is within the political discretion of a State to decide on the timing of a public act of attribution. Nevertheless, Germany supports the UN Group of Governmental Experts’ position in its 2015 report that accusations of cyber-related misconduct against a State should be substantiated. States should provide information and reasoning and – if circumstances permit – attempt to communicate and cooperate with the State in question to clarify the allegations raised. This may bolster the transparency, legitimacy and general acceptance of decisions on attribution and any response measures taken.

Attribution in the context of State responsibility must be distinguished from politically assigning responsibility for an incident to States or non-State actors: Generally, such statements are made at the discretion of each State and constitute a manifestation of State sovereignty. Acts of politically assigning responsibility may occur in cooperation with partners. As regards attribution in the legal sense, findings of national law-based (court) proceedings involving acts of attribution, for example in the context of criminal liability of certain office holders or non-State actors, may serve as indicators in the process of establishing State responsibility. However, it should be borne in mind that the criteria of attribution under international law do not necessarily correspond to those under domestic law and that additional or specific criteria are generally relevant when establishing State responsibility for individually attributed conduct. Moreover, the adoption of targeted restrictive measures against natural or legal persons, entities or bodies under the EU Cyber Sanctions Regime does not as such imply the attribution of conduct to a State by Germany in a legal sense."^[64]

Ireland (2023)

"20. It is an established principle of international law that every internationally wrongful act of a state entails responsibility. As set out in the International Law Commission’s Draft Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA), there is an internationally wrongful act of a state when conduct consisting of an action or omission: first, is attributable to the state under international law; and secondly, constitutes a breach of an international obligation of the state.[16] While the ARSIWA are not legally binding, in most respects they are widely accepted as largely reflecting customary international law. Absent any rules constituting lex specialis, the general rules of state responsibility apply in the cyber context.

21. In customary international law, attribution of an internationally wrongful act to a state can arise in several situations including: acts of organs or officials of the state; ultra vires acts; acts of individuals if conduct is directed and controlled by the state; and acts of individuals whose conduct has been acknowledged or adopted by the state.[17] The last two scenarios are arguably the most relevant in the context of cyberspace, as the nature of cyber-operations means that they can be very difficult to attribute to a specific state organ or official directly.

22. In relation to the concepts of direction and control, in the Nicaragua case the ICJ determined that responsibility for the actions of a third party arose where there was “effective control of the military or paramilitary operations in the course of which the alleged violations were committed.”[18] The ICJ confirmed the effective control test in the Genocide Convention case.

23. Article 11 ARSIWA states that “conduct which is not attributable to a state under the preceding articles shall nevertheless be considered an act of that state under international law if and to the extent that the state acknowledges and adopts the conduct in question as its own.” In the Tehran Hostages case, the ICJ held that state responsibility was engaged with what the Court called, “the seal of official government approval”.[19] In a cyber context, a malicious cyber-operation conducted by a third party can thus be attributed to a state where it essentially takes ownership of the act, which might be ascertained through acts of support, approval and/or acquiescence.

24. There is a distinction to be drawn between legal attribution and political attribution. The former is a strictly legal exercise grounded in international law and the rules of state responsibility, while the latter is likely to be informed by political and technical assessments, often heavily based on intelligence reports. It is important to maintain clarity between the different frameworks in which legal attribution and political attribution are to be considered."^[65]

Israel (2020)

"The issue of attribution is also widely debated with respect to cyber operations. Some have suggested that there needs to be more legal certainty with respect to attribution, in order to avoid mistaken attribution, which can lead to conflict escalation. This is increasingly becoming more of a theoretical issue. Over time, the attribution capabilities of States have improved, and even States with lesser capabilities have been able to rely on solid information provided by other States and by the private sector. In any event, this is a technical matter—a factual one—and I would advise against over-regulating the issue.

That being said, there is also the question of public perceptions—because sometimes, when an offensive cyber operation is public, and the attribution is public, the government needs to communicate with its citizens, and with the international community at large, in order for its positions and actions to be understood. But there will be cases when a State will prefer not to disclose the attack, the attribution, or any ensuing actions taken—for diverse reasons such as national security and foreign relations. Either way, as a matter of international law, the choice whether or not to disclose the attribution information remains at the exclusive discretion of the State."^[66]

Italy (2021)

"Attributing responsibility of cyber activities is a complex matter which has led to different approaches across the international community.

Italy sees merit in contributing to the international law debate on the matter. Italy deems that attribution is a national sovereign prerogative and so is the decision to make it public or not, on a case-by-case basis.

Italy is aware that attribution entails technical, legal and political considerations. With regard to the attribution of cyber wrongful acts by States, Italy considers that any attribution should be based on a sufficient level of confidence on the source of the cyber activities in question and on the identity of the actor(s) responsible. Although under international law there is no general obligation thereto, Italy stresses the importance of transparency: attribution of cyber wrongful activities should therefore be reasonable and credibly based on factual elements related to relevant circumstances of the case. This would be especially required should attribution become part of international courts and/or arbitration proceedings, with the exception of States’ classified information."^[67]

Japan (2021)

"There is an internationally wrongful act of a State when the act is attributable to the State under international law and when the act constitutes a breach of an obligation of the State under international law. There are legal, political and technical aspects in discussing the attribution of conduct to a State with respect to cyber operations.

To invoke State responsibility under international law with respect to any act in cyberspace, it is necessary to consider whether the act is attributable to a specific State. On this topic, Articles 4 to 11 of the ILC’s Articles on State Responsibility provide useful reference. As a general rule, in such cases as a cyber operation conducted by a State organ, the act is considered to be attributable to the State. A cyber operation conducted by a non-State actor is, in principle, not attributable to a State. However, according to Article 8 of the ILC’s Articles on State Responsibility, the conduct of a person or group of persons shall be considered an act of a State if the person or group of persons is in fact acting on the instructions of, or under the direction or control of that State in carrying out the conduct." ^[68]

Netherlands (2019)

"For a state to be held responsible under international law for a cyber operation and, by extension, for a target state to be able to take a countermeasure in response,16 it must be possible to attribute the operation to the state in question. Any attribution of cyber operations is always based on a government decision. Special attention is paid to the degree to which the government has information of its own at its disposal or to which it is able to reach an independent conclusion concerning information it has obtained.

In the context of cyberspace, three forms of attribution can be distinguished:

- Technical attribution – a factual and technical investigation into the possible perpetrators of a cyber operation and the degree of certainty with which their identity can be established. - Political attribution – a policy consideration whereby the decision is made to attribute (publicly or otherwise) a specific cyber operation to an actor without necessarily attaching legal consequences to the decision (such as taking countermeasures). The attribution need not necessarily relate to a state; it may also concern a private actor. - Legal attribution – a decision whereby the victim state attributes an act or omission to a specific state with the aim of holding that state legally responsible for the violation of an obligation pursuant to international law.

In the case of legal attribution a distinction must be made between operations carried out by or on behalf of a state and operations carried out by non-state actors. An act by a government body in its official capacity (for example the National Cyber Security Centre) is always attributable to the state. An act by a non-state actor is in principle not attributable to a state. However, the situation changes if a state has effective control over the act or accepts it as its own act after the fact. In such a case, the non-state actor (or ‘proxy’) carries out the operation on the instructions of, or under the direction or control of that state. The threshold for establishing effective control is high. A financial contribution to the activities of a non-state actor, for example, is not sufficient.

In order to attribute a cyber operation it is not required that a state disclose the underlying evidence. Evidence in the legal sense becomes relevant only if legal proceedings are instituted. A state that takes countermeasures or relies on its inherent right of self-defence (see below) in response to a cyber operation may eventually have to render account for its actions, for example if the matter is brought before the International Court of Justice. In such a situation, it must be possible to provide evidence justifying the countermeasure or the exercise of the right of self-defence. This can include both information obtained through regular channels and intelligence.

Under international law there is no fixed standard concerning the burden of proof a state must meet for (legal) attribution, and thus far the International Court of Justice has accepted different standards of proof. The CAVV and the AIV rightly observe as follows in this regard: ‘International law does not have hard rules on the level of proof required but practice and case law require sufficient certainty on the origin of the attack and the identity of the author of the attack before action can be taken.’ In the government’s view, the burden of proof will indeed vary in accordance with the situation, depending on the seriousness of the act considered to be in breach of international law and the intended countermeasures."^[69]

New Zealand (2020)

"An internationally wrongful act can be attributed to a state if it was carried out by organs of the state, persons or entities empowered to exercise elements of governmental authority on behalf of that state, or agents acting on the instructions of, or under the direction or control of the state; or where the state acknowledges and adopts the act as its own.

[...]

States should act in good faith and take care when attributing legal responsibility to another state for malicious cyber activity. While international law prescribes no clear evidential standard for attributing legal responsibility for internationally wrongful acts, a victim state must be sufficiently confident of the identity of the state responsible. What constitutes sufficient confidence in any case will depend on the facts and nature of the activity. While any legal attribution should be underpinned by a sound evidential basis, there is no general obligation on the attributing state to disclose that basis. However, a state may choose as a matter of policy to disclose specific information that it considered in making its attribution decision, and may be required to defend any such decision as part of international legal proceedings".^[70]

Norway (2021)

"A State may be held responsible under international law for cyber operations conducted by an organ of the State or by actors exercising governmental authority on behalf of the State.

A State may be held responsible under international law for cyber operations conducted by non-State actors if these are conducted on the direct instructions of the State or under its direction or effective control. It may be technically challenging to establish that a relationship between a State and a non-State actor amounts to direct instructions, direction or effective control. However, this is a question of evidence, and not of lack of clarity of international law." ^[71]

Pakistan (2023)

"15. Pakistan hold the view that until the conundrum of the attribution doesn't get resolved, the proper application of international law and IHL in cyberspace will not be possible. Because of the factors like the use of cyberspace by both State and Non-State actors, anonymity, and the transnational nature of the internet, the fair attribution of a cyber-attack to its actual perpetrator is complex, but not insurmountable. Strong coordination and cooperation among the Member States may result in an accurate tracing of IP addresses back to the origin of the attack.

16. It is indispensable to solve the conundrum of attribution to ensure that the attackers, whether State or Non-State actors, shall be held accountable if found violating international law."^[72]

Poland (2022)

"Norms of customary international law concerning the assignment of responsibility to a state are reflected to a large extent in the articles covering the states’ responsibility for internationally wrongful acts as adopted in 2001 by the International Law Commission (hereinafter referred to as “Articles on the Responsibility of States”).

The document reiterates that “Every internationally wrongful act of a State entails the international responsibility of that State.” (Article 1). A state is responsible for conduct consisting of both an action or omission that is attributable to the state under international law and constitutes a breach of an international obligation of the state (Article 2). Articles 4– 11 describe the rules governing the attribution of responsibility to a state. According to these rules, the State is responsible among others for the conduct of its organs, persons or entities which, even though they are not organs, are empowered by law to exercise governmental authority, as well as persons or groups of persons acting on the instructions of, or under the direction or control of that state.

The above norms also apply to conduct of states in cyberspace. The state may therefore be responsible for internationally wrongful acts of, for instance of hacker groups or individual hackers, if the conditions expressed in the Articles on the Responsibility of States are satisfied. At the same time, it should be remembered that the specific nature of cyberspace severely hampers the attribution of internationally wrongful acts to states or other actors."^[73]

Romania (2021)

"In cyber context, attribution (especially from the technical point of view) of the conduct to a State is difficult to determine given the fact that most of the times the actions are undertaken via proxies.

Therefore, if the conduct is not evident as being of a State organ, then, in order to be attributed to a State, it must be proven that it is:

• of a person or entity exercising elements of the governmental authority of that State
• of organs placed at the disposal of that State by another State
• of a person or entities acting under the instructions of, or under the direction or control of that State

In order to determine the degree of control reference should be made to the jurisprudence of the ICJ and of the various international courts and tribunals that have dealt with matters of State attribution."^[74]

Russia (2021)

"Under customary international law, a State is responsible for activities of its institutions, as well as that of individuals acting under its control. In information space it may be difficult to determine whether an individual is acting under control of a State or with its acquiescence. In this regard, it becomes increasingly relevant to formalize the norm of the 2015 GGE report stating that all accusations of organizing and implementing wrongful acts brought against States should be substantiated, as legally binding. In any case, one should refrain from publicly imposing responsibility for an incident in information space on a particular State without supplying necessary technical evidence".^[75]

Sweden (2022)

"Cyber operations conducted by State organs are attributed to the State, as are cyber operations conducted by persons empowered to exercise elements of governmental authority if acting in that particular capacity. A State is normally not responsible for the conduct of individuals not empowered to exercise governmental authority. However, in situations where non-state actors act on the instructions or under the direction or control of a State, that conduct is attributed to the State. Conduct not attributed to a State may nevertheless be considered an act of that State if that State acknowledges and adopts the conduct as its own."

[...]

"Legal attribution must be distinguished from public attribution. Legal attribution is an integral part in the process to establish and characterise an act in legal terms, and there is no legal requirement to disclose any evidence in relation to the assessment of attribution of conduct. Publicizing a decision on attribution is the prerogative of sovereign States and is not a requirement under international law.^[76]

Switzerland (2021)

"Attribution of a cybersecurity incident refers to the identification of the perpetrator and describes a holistic, interdisciplinary process. This includes analysing the technical and legal aspects of the incident, factoring in the geopolitical context, and using the entire intelligence spectrum for the purpose of gathering information. Using this approach, a state can attribute a cyber incident to another state or a private actor, either publicly or not, and it can decide to take further political measures.

The process described above includes legal attribution, which ascertains whether a cyber incident can be legally attributed to a state and if that state can be held responsible under international law in accordance with the rules on state responsibility; it also concerns how the injured state may respond (known as countermeasures, see section 6.2). The conduct of any state organ or person exercising an inherently governmental function is always legally attributable to the state concerned.18 If a cyber incident is carried out by a non-state actor, it can only be attributed to a state under certain conditions. In such cases, state responsibility only arises if the non-state actor acts on the instructions of a state, or under the direction or control of state organs. If this requirement is met, the conduct constitutes an act by the state and is attributable to that state. The injured state is also permitted to take countermeasures (see section 6.2). If the required interstate dimension is lacking however, international law does not in principle permit countermeasures against another state.

The decision to attribute conduct is at the discretion of the injured state and there is no obligation under international law to disclose the information leading to such a decision. Allegations of the organisation or implementation of an unlawful act against another state should however be substantiated."^[77]

United Kingdom (2018)

"These principles must be adapted and applied to a densely technical world of electronic signatures, hard to trace networks and the dark web. They must be applied to situations in which the actions of states are masked, often deliberately, by the involvement of non-state actors. And international law is clear - states cannot escape accountability under the law simply by the involvement of such proxy actors acting under their direction and control."

[...]

"As with other forms of hostile activity, there are technical, political and diplomatic considerations in publicly attributing hostile cyber activity to a state, in addition to whether the legal test is met.

There is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances.

However, the UK can and does attribute malicious cyber activity where we believe it is in our best interests to do so, and in furtherance of our commitment to clarity and stability in cyberspace. Sometimes we do this publicly, and sometimes we do so only to the country concerned. We consider each case on its merits.

For example, the WannaCry ransomware attack affected 150 countries, including 48 National Health Service Trusts in the United Kingdom. It was one of the most significant attacks to hit the UK in terms of scale and disruption. In December 2017, together with partners from the US, Australia, Canada, New Zealand, Denmark and Japan, we attributed the attack to North Korean actors. Additionally, our attribution, together with eleven other countries, of the destructive NotPetya cyber-attack against Ukraine to the Russian government, specifically the Russian Military in February this year illustrated that we can do this successfully. If more states become involved in the work of attribution then we can be more certain of the assessment. We will continue to work closely with allies to deter, mitigate and attribute malicious cyber activity. It is important that our adversaries know their actions will be held up for scrutiny as an additional incentive to become more responsible members of the international community."^[78]

United Kingdom (2021)

"As well as bearing responsibility for acts of its organs and agents, a State is also responsible in accordance with international law where, for example, a person or a group of persons acts on its instructions or under its direction or control."

[...]

"The term ‘attribution’ is used in relation to cyberspace in both a legal and non-legal sense. It is used in a legal sense to refer to identifying those who are responsible for an internationally wrongful act. It is also used in a non-legal sense to describe the identification of actors (including non-state actors) who have carried out cyber conduct which may be regarded as hostile or malicious but does not necessarily involve an internationally wrongful act.

For the UK, there are technical and diplomatic considerations in determining whether to attribute publicly such activities in cyberspace. The decision whether to make a public attribution statement is a matter of policy. Each case is considered on its merits. The UK will publicly attribute conduct in furtherance of its commitment to clarity and stability in cyberspace or where it is otherwise in its interests to do so.

Whatever the nature of the attribution, there is no general legal obligation requiring a State to publicly disclose any underlying information on which its decision to attribute conduct is based."^[79]

United Kingdom (2022)

"I should also add that the nature of cyberspace means that it may not be evident, at least at first, whether a State is responsible for a particular action. This is also a space in which criminal gangs operate for financial profit. To be clear, State direction or control of non-State actors who undertake cyber operations of the kind I have described today would also represent unlawful conduct by that State, in line with international law on State responsibility. Cyber is no different from other spheres of activity in this sense. Provided that it is exercising the requisite degree of direction or control, a State is no less responsible for internationally unlawful cyber operations conducted by a ransomware gang than it would be for the unlawful actions of an armed group, or a corporation."^[80]

"Coordination between States, in a more general sense, is also crucial in responding to hostile State activity in cyberspace and imposing a cost on those who seek to abuse the freedom and opportunity that technological progress has provided them. States are developing more sophisticated and coordinated diplomatic and economic responses. This can be seen in the response to the recent operation targeting Microsoft Exchange servers, where 39 partners including NATO, the EU and Japan coordinated in attributing hostile cyber activity to China. It can also be seen in the response to the Russian SolarWinds hack which saw coordinated US, UK and allied sanctions and other measures."^[81]

United States (2012)

"States are legally responsible for activities undertaken through “proxy actors,” who act on the state’s instructions or under its direction or control. The ability to mask one’s identity and geography in cyberspace and the resulting difficulties of timely, high-confidence attribution can create significant challenges for states in identifying, evaluating, and accurately responding to threats. But putting attribution problems aside for a moment, established international law does address the question of proxy actors. States are legally responsible for activities undertaken through putatively private actors, who act on the state’s instructions or under its direction or control. If a state exercises a sufficient degree of control over an ostensibly private person or group of persons committing an internationally wrongful act, the state assumes responsibility for the act, just as if official agents of the state itself had committed it. These rules are designed to ensure that states cannot hide behind putatively private actors to engage in conduct that is internationally wrongful."^[82]

[...]

"[..]cyberspace significantly increases an actor’s ability to engage in attacks with “plausible deniability,” by acting through proxies. I noted that legal tools exist to ensure that states are held accountable for those acts. What I want to highlight here is that many of these challenges — in particular, those concerning attribution — are as much questions of a technical and policy nature rather than exclusively or even predominantly questions of law. Cyberspace remains a new and dynamic operating environment, and we cannot expect that all answers to the new and confounding questions we face will be legal ones."^[83]

United States (2016)

"From a legal perspective, the customary international law of state responsibility supplies the standards for attributing acts, including cyber acts, to States. For example, cyber operations conducted by organs of a State or by persons or entities empowered by domestic law to exercise governmental authority are attributable to that State, if such organs, persons, or entities are acting in that capacity.

Additionally, cyber operations conducted by non-State actors are attributable to a State under the law of state responsibility when such actors engage in operations pursuant to the State’s instructions or under the State’s direction or control, or when the State later acknowledges and adopts the operations as its own.

Thus, as a legal matter, States cannot escape responsibility for internationally wrongful cyber acts by perpetrating them through proxies. When there is information — whether obtained through technical means or all-source intelligence — that permits a cyber act engaged in by a non-State actor to be attributed legally to a State under one of the standards set forth in the law of state responsibility, the victim State has all of the rights and remedies against the responsible State allowed under international law.

The law of state responsibility does not set forth explicit burdens or standards of proof for making a determination about legal attribution. In this context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State. Absolute certainty is not—and cannot be—required. Instead, international law generally requires that States act reasonably under the circumstances when they gather information and draw conclusions based on that information.

I also want to note that, despite the suggestion by some States to the contrary, there is no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action. There may, of course, be political pressure to do so, and States may choose to reveal such evidence to convince other States to join them in condemnation, for example. But that is a policy choice—it is not compelled by international law."^[84]

United States (2021)

"The law of State responsibility supplies the standards for attributing acts, including cyber acts, to States. For example, cyber operations conducted by organs of a State or by persons or entities empowered by domestic law to exercise elements of governmental authority are attributable to that State. As important, as a legal matter, States cannot escape responsibility for internationally wrongful cyber acts by perpetrating them through proxies; cyber operations conducted by non-State actors are attributable to a State under the law of State responsibility when such operations are engaged in pursuant to the State’s instructions or under the State’s direction or control, or when the State later acknowledges and adopts the operations as its own. Thus, when there is information – whether obtained through technical means or all-source intelligence – that permits attribution of a cyber act of an ostensibly non-State actor to a State under the international law of State responsibility, the victim State has all of the rights and remedies against the responsible State permitted to it under international law.

The law of State responsibility does not set forth burdens or standards of proof for attribution. Such questions may be relevant for judicial or other types of proceedings, but they do not apply as an international legal matter to a State’s determination about attribution of internationally wrongful cyber acts for purposes of its response to such acts, including by taking unilateral, self-help measures permissible under international law, such as countermeasures. In that context, a State acts as its own judge of the facts and may make a unilateral determination with respect to attribution of a cyber operation to another State. Absolute certainty is not required. Instead, international law generally requires that States act reasonably under the circumstances. Similarly, there is no international legal obligation to reveal evidence on which attribution is based. But to facilitate global understanding of emerging state practice in this rapidly developing area, public attributions should, wherever feasible, include sufficient evidence to allow corroboration or cross-checking of allegations.

Attribution plays an important role in States’ responses to malicious cyber activities as a matter of international law. It is crucial, however, to distinguish legal attribution from attribution in the technical and political senses. States and commentators often express concerns about the challenge of attribution in a technical sense – that is, the challenge in light of certain characteristics of cyberspace of obtaining facts, whether through technical indicators or all-source intelligence, that would inform a State’s policy and legal determinations about a particular cyber incident. Others have raised issues related to political decisions about attribution – that is, considerations that might be relevant to a State’s decision to go public and identify another State as the actor responsible for a particular cyber incident and to condemn a particular cyber act as unacceptable. As norms emerge to clarify how international law addresses the issue of attribution, it would be useful, wherever possible, for law-abiding states to share information regarding both technical knowhow and state practice."^[85]

Appendixes

See also

• Scenario 02: Cyber espionage against government departments
• Scenario 05: State investigates and responds to cyber operations against private actors in its territory
• Scenario 06: Cyber countermeasures against an enabling State
• Scenario 08: Certificate authority hack
• Scenario 09: Economic cyber espionage
• Scenario 11: Sale of surveillance tools in defiance of international sanctions
• Scenario 13: Cyber operations as a trigger of the law of armed conflict
• Scenario 14: Ransomware campaign
• Scenario 17: Collective responses to cyber operations
• Scenario 23: Vaccine research and testing

Notes and references

Bibliography and further reading

Definition

Breach of an international obligation

The second element of an internationally wrongful act is conduct amounting to a breach of an international obligation owed by the relevant entity.[3] In this regard, it is undisputed that a cyber-related action or omission by a State may constitute a breach of its international obligations.[4] International obligations arise from primary rules of international law:[5] international treaties, customary international law, and general principles of law.[6] Fault, such as intent or negligence on part of the wrongdoing State, is not a necessary element of a breach of an international obligation, unless there exists such a requirement in the relevant primary rule.[7] Similarly, there is no general requirement for the injured party to have suffered any damage—again, unless such a requirement forms part of the primary obligation in question.[8] It is impossible to provide a list of all international obligations that may be violated by resort to cyber means. However, certain rules appear with higher frequency than others. These include the prohibition on the use of force; the prohibition of intervention; the obligation to respect the sovereignty of other States; the obligation to respect the right to privacy; the obligation of due diligence; and a few others (such as, for instance, the rule of distinction in the context of the law of armed conflict).

Appendixes

See also

Notes and references

Bibliography and further reading

Prohibition of intervention (conditions)

In general

Peacetime cyber espionage

Peacetime espionage has been traditionally considered as unregulated by international law. This is also reflected in the Tallinn Manual 2.0, which posits that ‘[a]lthough peacetime cyber espionage by States does not per se violate international law, the method by which it is carried out might do so.’[70] However, the methods of peacetime cyber espionage are varied and the legal consensus is almost non-existent with regard to cyber operations below the threshold of use of force or armed attack. It must be noted that although cyber espionage operations are generally not illegal from the perspective of international law, they are usually prohibited according to the domestic law of the target State. Moreover, the acting State’s authorities will also typically be subject to specific domestic law prescriptions pertaining to the conduct of foreign intelligence operations. Conversely, the mere fact that an operation is a cyber espionage operation does not make it legal in international law, according to a majority of the experts drafting Tallinn Manual 2.0.[71] According to a minority of the experts, espionage creates an exception for certain otherwise illegal cyber operations.[72] Publicly available national positions that address this issue include: (2020), (2021).

Economic cyber espionage

Economic cyber espionage

The United States has, already in its 2011 International Strategy for Cyberspace, declared that it “will take measures to identify and respond to [persistent theft of intellectual property, whether by criminals, foreign firms, or state actors working on their behalf,] to help build an international environment that recognizes such acts as unlawful and impermissible, and hold such actors accountable.”[73] The G20 countries reaffirmed in 2015 that “no country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.”[74] In September 2015, the US and China agreed on a similar commitment on a bilateral basis.[75] Therefore, there is a push to curb the practice by developing a prohibition of such practice as a matter of international law. However, according to the prevailing opinion, no such prohibition has crystallised in customary international law. In this regard, it is noteworthy that the 2015 UN GGE report does not mention economic cyber espionage among the applicable norms, rules, and principles of responsible State behaviour in cyberspace.[76] Several authors,[77] including experts of the Tallinn Manual 2.0,[78] consider that there is no distinction between economic cyber espionage and other forms of cyber espionage in general international law.[79] Additionally, no international consensus exists that agreements such as the WTO TRIPS[80] protect trade secrets against espionage conducted by a foreign state, and it is unclear whether the affected company can challenge the spying State in a domestic court or pursuant to a bilateral investment treaty, if there is one.[81] Accordingly, such conduct is not subject to any general prohibition under extant international law.

National positions

United States (2020)

"For cyber operations that would not constitute a prohibited intervention or use-of-force, the Department believes there is not sufficiently widespread and consistent State practice resulting from a sense of legal obligation to conclude that customary international law generally prohibits such non-consensual cyber operations in another State’s territory. This proposition is recognized in the Department’s adoption of the “defend forward” strategy: “We will defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.” The Department’s commitment to defend forward including to counter foreign cyber activity targeting the United States—comports with our obligations under international law and our commitment to the rules-based international order.

The DoD OGC view, which we have applied in legal reviews of military cyber operations to date, shares similarities with the view expressed by the U.K. Government in 2018. We recognize that there are differences of opinion among States, which suggests that State practice and opinio juris are presently not settled on this issue. Indeed, many States’ public silence in the face of countless publicly known cyber intrusions into foreign networks precludes a conclusion that States have coalesced around a common view that there is an international prohibition against all such operations (regardless of whatever penalties may be imposed under domestic law).

Traditional espionage may also be a useful analogue to consider. Many of the techniques and even the objectives of intelligence and counterintelligence operations are similar to those used in cyber operations. Of course, most countries, including the United States, have domestic laws against espionage, but international law, in our view, does not prohibit espionage per se even when it involves some degree of physical or virtual intrusion into foreign territory. There is no anti-espionage treaty, and there are many concrete examples of States practicing it, indicating the absence of a customary international law norm against it. In examining a proposed military cyber operation, we may therefore consider the extent to which the operation resembles or amounts to the type of intelligence or counterintelligence activity for which there is no per se international legal prohibition.

Of course, as with domestic law considerations, establishing that a proposed cyber operation does not violate the prohibitions on the use of force and coercive intervention does not end the inquiry. These cyber operations are subject to a number of other legal and normative considerations."^[82]

United States (2021)

"In certain circumstances, one State’s non-consensual cyber operation in another State’s territory, even if it falls below the threshold of a use of force or non-intervention, could also violate international law. However, a State’s remote cyber operations involving computers or other networked devices located on another State’s territory do not constitute a per see violation of international law. In other words, there is no absolute prohibition on such operations as a matter of international law. This is perhaps most clear where such activities in another State’s territory have no effects or de minimise effects. The very design of the Internet may lead to some encroachment on other sovereign jurisdictions."^[83]

Appendixes

See also

• Scenario 01: Election interference
• Scenario 02: Cyber espionage against government departments
• Scenario 09: Economic cyber espionage

Notes and references

Bibliography and further reading