Scenario 21: Misattribution caused by deception

From International cyber law: interactive toolkit
Jump to navigation Jump to search
© Preechar Bowonkitwanchai. Licensed from Shutterstock.

A State launches a cyber operation against another State but orchestrates the attack in a way that points towards a third country as the wrongdoer. The victim State launches retaliatory measures against the alleged wrongdoer. The legal analysis of this scenario examines legal responsibility for cyber retaliation directed against the wrong target due to misattribution. It also assesses whether a mistake of fact can alleviate international responsibility of the responding State towards the victim State.

Scenario[edit | edit source]

Keywords[edit | edit source]

Deception, mistake of fact, misattribution, evidence, countermeasures

Facts[edit | edit source]

[F1] State A decides to conduct a harmful cyber operation against State B with deceptive elements to orchestrate wrongful attribution of this operation to its global competitor, State C. The aim is that misattribution of such a false-flag cyber operation will be followed by retaliatory measures of State B against State C.

[F2] Thus, the Central Intelligence Bureau of State A covertly launches a sophisticated deceptive cyber operation against State B (incident 1). The malware used against State B causes significant damage to its electric power grid. In particular, servers and workstations of the National Grid Control Centre of State B are knocked offline by deleting critical system files, resulting in temporary loss of control over the distribution of power across the country and local power outages. As a result, the e-government services provided by State B are down in some regions for about a week.

[F3] The malware was created in such a way as to point towards State C. Specific segments of codes, toolkits and methods are used and combined in a way to allow State B to identify false but persuasive traces leading to State C. The alleged origin of the cyber incidents from State C is confirmed also by information acquired by State B’s intelligence services.

[F4] State B publicly denounces State C for the hostile cyber operation. At the same time, as a retaliation, its central intelligence service conducts a reciprocal cyber operation against the internal servers of the central national authority that is responsible for the distribution of electric power in State C (incident 2). This operations leads to country-wide power outages in State C and a similar disruption of e-government services provided by State C.

Examples[edit | edit source]

Legal analysis[edit | edit source]

For a general overview of the structure of analysis in this section, see Note on the structure of articles.

[L1] The scenario consists of two distinct acts of two actors: the false-flag operation carried out by State A against State B (incident 1) and the retaliatory operation of State B against State C (incident 2). The scenario analyses and discusses various aspects of international responsibility in connection with these acts. The analysis first proceeds with the assessment of the initial false-flag cyber operation of State A against State B (incident 1) and then it continues with the assessment of the retaliatory measures of State B against State C (incident 2).

Responsibility of State A[edit | edit source]

Responsibility for the false-flag cyber operation[edit | edit source]

[L2] The false-flag cyber operation of State A against State B (incident 1) amounts to a breach of the prohibition of intervention and obligation to respect sovereignty of other States.[1] State A launched a sophisticated cyber operation against State B that caused the loss of control over the distribution of power across its territory and local power outages. This coercive action led to the loss of functionality of State B’s critical infrastructure and its e-government systems, significantly reducing its capability to serve its inherently governmental functions and its ability to conduct its affairs freely. Alternatively, the disruption of critical infrastructure by cyber means could be linked to a loss of functionality of cyber infrastructure and hence a violation of territorial sovereignty.[2] Some States would even consider a mere disruption of critical infrastructure as such a violation. Based on the facts provided, the conduct is attributable to State A since it was conducted by its central intelligence service, which is an organ of State A.[3]

Responsibility for the internationally wrongful act of another State[edit | edit source]

[L3] A challenging question arises whether State A was internationally responsible for the wrongful conduct committed by State B against State C, but orchestrated by State A (incident 2). In other words, is it possible, and if so, on what grounds, for State C as the injured State to invoke the responsibility of State A for the consequences caused by the retaliatory measures of State B? The rules on State responsibility contain legal constructions on how a State can incur responsibility in connection with the wrongful conduct of another State. These rules are also applicable to cyberspace.[4]

Responsibility of a State for the conduct of another State
A joint or collective wrongful act may result in a plurality of responsible States.[5] According to the principle of independent responsibility, each State is responsible for its own internationally wrongful conduct.[6] However, a State may also be responsible for a wrongful act of another State if it is implicated in the conduct of the latter. International law recognizes several forms of derived international responsibility:[7]
  • Aid or assistance with a view to assisting in the commission of a wrongful act by another State;[8]
  • Direction or control over the commission of an internationally wrongful act of another State;[9]
  • Coercion of another State into the commission of an internationally wrongful act.[10]

In all three cases, the State is responsible if it acts with knowledge of the circumstances of the internationally wrongful act.[11]

These forms of implication have in common that the specific nature of the relationship between the State that is the actual author of the unlawful act and the implicated State causes the incurrence of responsibility of the latter.[12]

The assisting State will typically not be responsible for the assisted wrongful act[13] but for a distinct wrongful act – i.e., for deliberately assisting another State in breaching an international obligation by which they are both bound.[14] In contrast, the exercise of direction and control or coercion by one State over the commission of an internationally wrongful act by another incurs responsibility for the act itself[15] towards the injured State.[16] The coerced State might benefit from force majeure if the requirements are met.[17] In that case, it would be solely the State exerting coercion that would bear responsibility.[18]

Publicly available national positions that address this issue include: National position of Germany (2021) (2021), National position of New Zealand (2020) (2020).

[L4] The commission of a false-flag cyber operation by State A does not fit any of the recognized forms of implication of international responsibility for the conduct of State B. The nature of the relationship between the two States cannot be qualified as aid or assistance since State B was not aware of the origin of the false-flag operation and intent of State A. There was also no relationship of dependence that would amount to direction or control.[19] Finally, State B was not coerced to engage in retaliatory measures against State C as it was not deprived of its freedom of action.[20] Consequently, it is not possible for State C as the injured State to invoke the responsibility of State A for the consequences caused by the retaliatory measures of State B (incident 2).

Responsibility for deceptive conduct[edit | edit source]

[L5] It could be questioned whether State A’s misleading of State B into the commission of an internationally wrongful act against State C itself amounts to a separate breach of an international legal obligation and if so, which international obligation. In other words, does misleading another State to act in an unlawful way itself constitute a violation of international law on the part of the deceiving State?

[L6] Misleading of another State is a matter not per se regulated by international law, however it may be contrary to the sic utere tuo (no harm) principle. This principle is recognized as a limitation on State sovereignty[21] and in specific areas (in particular, international environmental law) as a distinct legal norm.[22] However, it does not at present time constitute a standalone legal rule applicable in the cyber context.[23] Consequently, misleading another State to engage in misdirected cyber retaliation does not in itself constitute a violation of international law.

Retaliatory measures and responsibility of State B[edit | edit source]

State responsibility
Responsibility of States for internationally wrongful acts is a well-established concept in international law, resulting from the fact that each State has a legal personality and can bear legal obligations.[24] The law of State responsibility is largely customary in nature; its codification is provided by the International Law Commission's Articles on State Responsibility.[25] While some of the Articles are more controversial, they are generally accepted as reflective of customary law.[26] The law of State responsibility also applies to cyber operations and other cyber activities.[27]

Every internationally wrongful act of a State – entailing both acts and omissions –, has two elements: 1) attributability to the State under international law, and 2) breach of an international obligation of the State.[28]Besides these two elements, it is necessary to ascertain whether the act in question involved any 3) circumstances precluding wrongfulness.[29]

An internationally wrongful act entails the State’s international responsibility and gives rise to legal consequences, including the obligation to cease the conduct (if applicable) and the obligation to make full reparation for the injury caused.[30]

Publicly available national positions that address this issue include: Common position of the African Union (2024) (2024), National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of the Russian Federation (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2021) (2021).

[L7] State B launched a cyber operation against State C (incident 2). Based on the facts provided, the conduct is also attributable to State B since it was conducted by its central intelligence service which is a State organ.[31] This operation caused a loss of functionality of State C's critical infrastructure and its e-government systems, significantly reducing its capability to serve its inherently governmental functions and its ability to conduct its affairs freely. Alternatively, the disruption of critical infrastructure by cyber means could be linked to a loss of functionality of cyber infrastructure and hence a violation of territorial sovereignty.[32] Some States would even consider a mere disruption of critical infrastructure as such a violation. Such action amounted to the violation of the prohibition of intervention and of the obligation to respect sovereignty of other States.[33] The international responsibility of State B may be precluded if its conduct fulfils conditions of any of the circumstances precluding wrongfulness. The two next subsections examine whether the wrongfulness of State B’s conduct could be precluded on the grounds that it qualifies as a lawful countermeasure or that the State was acting in error.

Countermeasures[edit | edit source]

Countermeasures
Countermeasures are “measures that would otherwise be contrary to the international obligations of an injured State vis-à-vis the responsible State, if they were not taken by the former in response to an internationally wrongful act by the latter in order to procure cessation and reparation”.[34] Several States, including Australia,[35] Austria,[36] Canada,[37] Estonia,[38] France,[39] Germany,[40] Italy,[41] Japan,[42] the Netherlands,[43] New Zealand,[44] Norway,[45] Singapore,[46] Sweden,[47] the United Kingdom,[48] and the United States,[49] have expressly confirmed the applicability of the law of countermeasures to cyber operations. Others, including Brazil,[50] China,[51] and Cuba,[52] have expressed caution in this regard. Countermeasures should be distinguished from retorsions, which are unfriendly but lawful acts by the aggrieved party against the wrongdoer.

As a matter of general international law, an injured State may only take countermeasures against the responsible State if the following conditions are met:

  1. The existence of a prior internationally wrongful act of the responsible State against the injured State.[53] If that act consists of a cyber operation, this means that the operation must have been amounted to a breach of the obligations of the responsible State that is attributable to that State;
  2. The injured State has called upon[54] the responsible State to fulfil its obligations arising from its internationally wrongful act;[55] and
  3. The injured State has notified the responsible State of its decision to take countermeasures, and offered to negotiate with that State, unless it is taking “urgent countermeasures as are necessary to preserve its rights.”[56] Some States, such as Canada,[57] Israel,[58] Norway,[59] the United Kingdom[60] and the United States[61] have advocated for a particular approach to the notification requirement in the cyber realm, in particular to preserve the effectiveness of the measures and/or to avoid exposing sensitive capabilities of the responding State.[62]

Additionally, the countermeasures must fulfil the following requirements:

  2. Their aim must be to induce the responsible State to comply with the legal consequences of its internationally wrongful act;[63] hence, the aim of countermeasures is restoration, not retribution or retaliation; and the countermeasures can only target the responsible State;
  3. They “shall, as far as possible, be taken in such a way as to permit the resumption of performance of the obligations in question”;[64]
  4. They shall not affect the obligation to refrain from the threat or use of force,[65] obligations for the protection of fundamental human rights, of a humanitarian character prohibiting reprisals, or other “obligations under peremptory norms of general international law”;[66] obligations under any dispute settlement procedure between the injured and responsible State, and obligations arising from the inviolability of diplomatic or consular agents, premises, archives and documents;[67] and
  5. They must be “commensurate with the injury suffered, taking into account the gravity” of the prior unlawful act and of the rights in question (i.e. the “proportionality” requirement).[68] However, proportionality does not require that the adopted measures must be equivalent, reciprocal or even in kind.[69] As clearly expressesd by many States, including Canada,[70] Germany,[71] Italy,[72] Japan,[73] Norway,[74] Sweden,[75] Switzerland,[76] the United Kingdom[77] and the United States,[78] countermeasures against cyber operations can be non-cyber in nature, and cyber countermeasures may be adopted in response to non-cyber wrongful acts.

Countermeasures are temporary in nature. In case the original internationally wrongful act has ceased, and the dispute is submitted in good faith to a court or tribunal with the authority to make decisions binding on the parties, countermeasures may not be taken and if already taken, must be suspended,[79] except if the responsible State fails to implement the dispute settlement procedures in good faith.[80] Countermeasures must also be terminated as soon as the responsible State has complied with its (secondary) obligations.[81]

There is an ongoing debate as to whether States that have not themselves been directly injured by an unlawful cyber operation may engage in countermeasures in support of the injured State (sometimes referred to as "collective countermeasures").[82] In particular, Estonia has opined that non-injured States “may apply countermeasures to support the state directly affected by the malicious cyber operation”,[83] a view that has also received some support from New Zealand.[84] This would apply where diplomatic action is insufficient, but no lawful recourse to use of force exists. This interpretation would allow States to offer active assistance to other States, which may not possess sufficient cyber capabilities themselves to counter an ongoing unlawful cyber operation, or otherwise deter the responsible State with other non-cyber countermeasures.[85] However, this view has since been rejected by at least one State (France),[86] while others, such as Canada, do not yet consider there to be “sufficient State practice or opinio juris to conclude that [collective countermeasures] are permitted under international law”.[87] Therefore, it has to be regarded as a call for progressive development of international law, rather than a statement of the current state of international law.

Whether a particular measure fulfils these conditions is an objective question,[88] while the burden of proof that the relevant conditions have been fulfilled falls on the injured State.[89] The exact standard of proof required is unsettled in international law and it will depend on the relevant forum. However, relevant international jurisprudence tends to rely on the standard of “clear and convincing evidence”.[90] This standard translates in practice into a duty to “convince the arbiter in question that it is substantially more likely than not that the factual claims that have been made are true”.[91] Importantly, if a State does resort to countermeasures on the basis of an unfounded assessment that a breach has occurred, it may incur in international responsibility for its own wrongful conduct.[92]

Publicly available national positions that address this issue include: National position of Australia (2020) (2020), National position of Brazil (2021) (2021), National position of Canada (2022) (2022), National position of Costa Rica (2023) (2023), National position of Denmark (2023) (2023), National position of Estonia (2019) (2019), National position of Estonia (2021) (2021), National position of Finland (2020) (2020), National position of France (2019) (2019), National position of Germany (2021) (2021), National position of Ireland (2023) (2023), National position of Israel (2020) (2020), National position of the Italian Republic (2021) (2021), National position of Japan (2021) (2021), National position of the Netherlands (2019) (2019), National position of New Zealand (2020) (2020), National position of Norway (2021) (2021), National position of the Republic of Poland (2022) (2022), National position of Romania (2021) (2021), National position of the Russian Federation (2021) (2021), National position of Singapore (2021) (2021), National position of the Kingdom of Sweden (2022) (2022), National position of Switzerland (2021) (2021), National position of the United Kingdom (2018) (2018), National position of the United Kingdom (2021) (2021), National position of the United Kingdom (2022) (2022), National position of the United States of America (2016) (2016), National position of the United States of America (2020) (2020), National position of the United States of America (2021) (2021).

[L8] As the first basic precondition, the act constituting a countermeasure must be taken in response to a previous internationally wrongful act of another State and must be directed against that State.[93] This appears problematic in the present case since the technical evidence and intelligence information acquired by State B point towards State C as the wrongdoer, but in reality, the author of the false-flag cyber operation was State A. Identification of the wrongdoer and attribution in context of cyber operations is challenging due to evidentiary and technical[94] peculiarities of cyberspace that make it possible to hide identity and leave false traces.[95]

[L9] However, the criteria for establishment of international responsibility are objective.[96] Subjective considerations, including mistakes of fact, fault[97] or intent are not relevant unless otherwise provided by the primary norm in question.[98] Since the false-flag operation was carried out by State A and therefore cannot be attributed to State C, the condition of an internationally wrongful act attributable to State C is not fulfilled and countermeasures cannot be lawfully directed against this State.

[L10] Moreover, the retaliatory measures of State B do not fulfil other requirements for countermeasures in international law, namely a previous call upon the allegedly responsible State to fulfil its obligations, notification of the intended countermeasures and offer for negotiations.[99] Since the very first condition of countermeasures – existence of an internationally wrongful act on side of State C – is not met, it is not necessary to engage in an in-depth analysis of these other requirements.[100]

Relevance of mistake of fact[edit | edit source]

Mistake of fact (Law of State responsibility)
Mistake of fact plays a role in some areas of international law, such as international criminal law or the law of international treaties.[101] With respect to the law of State responsibility, relevance of mistake of fact can be discussed in the context of the criteria establishing State responsibility and of the circumstances precluding wrongfulness.

With respect to the criteria for the establishment of international responsibility (breach of an international obligation and attribution), possible mistakes of fact do not play any role since these criteria are objective in nature,[102] which means that subjective considerations are not directly relevant.[103]

The same applies to the question of the relevance of mistakes of fact with respect to circumstances precluding wrongfulness. First, a mistake of fact does not constitute a standalone circumstance precluding wrongfulness recognized in international law, including in cyberspace. This is evidenced by the fact that errors or mistakes of fact are absent from the authoritative list of such circumstances in the ILC’s Articles on State Responsibility.[104]

Second, a mistake of fact also cannot serve as a ground for the invocation of any of the established circumstances precluding wrongfulness since none of them requires an inquiry into a subjective element, such as fault[105] or error.[106] Specifically with respect to countermeasures, the law of State responsibility is based on an objective standard.[107] A State resorting to countermeasures does so at its own risk and on the basis of its unilateral assessment of the situation. An incorrect assessment, including in the event of misattribution of malicious cyber operations,[108] may result in the commission of a wrongful act by the State resorting to countermeasures for which that State would be internationally responsible.[109]

[L11] The wrongful conduct of State B against State C was a consequence of misattribution caused by the wilful deception orchestrated by State A. Despite the existence of the mistake of fact in this case, conditions of international responsibility of State B are established due to their objective nature.

[L12] It is then to be discussed whether the mistake of fact on the part of State B alleviates the wrongfulness of its retaliatory operation against State C. However, mistake of fact does not qualify as a distinct circumstance precluding wrongfulness, nor is it relevant for the invocation of any of the recognized circumstances precluding wrongfulness. It follows that State B is internationally responsible for the retaliatory operation against State C, even if it acted in error.

[L13] The wrongfulness of the retaliatory operation of State B against State C is not precluded by any circumstance precluding wrongfulness. Therefore, the conduct of State B constitutes an internationally wrongful act.

Checklist[edit | edit source]

  • Sovereignty:
    • Does the conduct of State A amount to a breach of sovereignty of State B?
    • Does the conduct of State B amount to a breach of sovereignty of State C?
  • Prohibition of intervention:
    • Does the conduct of State A or State B amount to a violation of the prohibition of intervention under international law?
  • False-flag operation:
    • Did State A coerce State B to engage in retaliation against State C?
    • Did State A aid or assist State B in retaliation against State C?
    • Did State A control State B with respect to retaliation against State C?
  • Countermeasures:
    • Is State B applying countermeasures in response to a prior internationally wrongful act of the responsible State?
    • Do the measures taken by State B meet the conditions prescribed for the lawful resort to countermeasures under international law?
    • Are the retaliatory measures directed against the State to which the internationally wrongful act can be attributed?
    • What is the relevance of mistake of fact?
  • Circumstances precluding wrongfulness
    • Are the conditions of any of the circumstances precluding wrongfulness met?
    • Does error or mistake of fact qualify as or is relevant for any of the circumstances precluding wrongfulness?

Appendixes[edit | edit source]

See also[edit | edit source]

Notes and references[edit | edit source]

  1. For detailed analysis of these obligations, including the question of the breach of the prohibition of the use of force, see a similar fact pattern in Scenario 3 and Scenario 17. See also the Case Concerning Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Judgement (1986) at para 205 and the Tallinn Manual 2.0, Commentary to Rule 66, paras 15-18.
  2. Tallinn Manual 2.0, commentary to rule 4, para 13.
  3. Tallinn Manual 2.0, Rule 15. See also Attribution.
  4. Tallinn Manual 2.0, Rule 18.
  5. See in detail Christian Dominicé, ‘Attribution of Conduct to Multiple States and the Implication of a State in the Act of Another State’ in James Crawford and others (eds), The Law of International Responsibility (OUP 2010) 282-284.
  6. James Crawford, State Responsibility: The General Part (CUP 2013) 333; ILC Articles on State Responsibility, commentary to Part IV, para 1.
  7. James Crawford, State Responsibility: The General Part (CUP 2013) 336.
  8. ILC Articles on State Responsibility, Art. 16. This concept was applied by the ICJ in the Bosnian Genocide Case, see Case Concerning Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), ICJ, Judgement (2007) para 420.
  9. ILC Articles on State Responsibility, Art. 17. This form of indirect responsibility is rather rare, belligerent occupation being one of the few possible examples. Distinction must be made from the situation where an organ of one State has been placed at the disposal of another State - upon certain conditions, acts of this organ might be attributable to the latter State. See Tallinn Manual 2.0, Rule 16.
  10. ILC Articles on State Responsibility, Art. 18.
  11. ILC Articles on State Responsibility, Arts 16(a), 17(a) and 18(b); See also Germany's national position.
  12. Christian Dominicé, ‘Attribution of Conduct to Multiple States and the Implication of a State in the Act of Another State’ in James Crawford and others (eds), The Law of International Responsibility (OUP 2010) 284.
  13. In situations where aid or assistance is an essential and integral element of the assisted State´s operation, assisting State may be responsible for the assisted conduct. Responsibility of the assisting State therefore attaches for the extent of its contribution. See Tallinn Manual 2.0, commentary to Rule 18, para 6.
  14. Christian Dominicé, ‘Attribution of Conduct to Multiple States and the Implication of a State in the Act of Another State’ in James Crawford and others (eds), The Law of International Responsibility (OUP 2010) 285; ILC Articles on State Responsibility, commentary to Art. 16, para 10.
  15. ILC Articles on State Responsibility, commentary to Art. 17, para 1, commentary to Art. 18, paras 1 and 7; Tallinn Manual 2.0, commentary to Rule 18, para 6.
  16. Christian Dominicé, ‘Attribution of Conduct to Multiple States and the Implication of a State in the Act of Another State’ in James Crawford and others (eds), The Law of International Responsibility (OUP 2010) 288.
  17. ILC Articles on State Responsibility, commentary to Art. 23, para 3.
  18. Christian Dominicé, ‘Attribution of Conduct to Multiple States and the Implication of a State in the Act of Another State’ in James Crawford and others (eds), The Law of International Responsibility (OUP 2010) 288-289.
  19. Christian Dominicé, ‘Attribution of Conduct to Multiple States and the Implication of a State in the Act of Another State’ in James Crawford and others (eds), The Law of International Responsibility (OUP 2010) 287-288. It might be noted that the mere incitement is not unlawful in the law of State responsibility.
  20. The above-described forms of derived responsibility may have relevance in different scenarios. For example, a State knowingly providing its cyber infrastructure to another State for the commission of a wrongful act by the latter may incur international responsibility for such assistance (Tallinn Manual 2.0, Commentary to Rule 18, para 6). Above-described forms of derivative responsibility may also be relevant when cyber operation is conducted through networks of computers infected and used remotely without the free will of the territorial State (botnets as used against Estonia in 2007) - see François Delerue, Cyber Operations and International Law (CUP 2020) 307.
  21. Jutta Brunnée, ‘Sic utere tuo ut alienum non laedas’, in Rüdiger Wolfrum (ed) Max Planck Encyclopedia of Public International Law (updated March 2010) para 4 and 9.
  22. Ibid, para 10; Legality of the Threat or Use of Nuclear Weapons, ICJ, Advisory Opinion (1996) para 29.
  23. François Delerue, Cyber Operations and International Law (CUP 2020), Chapter 8: Cyber Operations and the Principle of Due Diligence.
  24. James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 1.
  25. Articles on the Responsibility of States for Internationally Wrongful Acts, prepared by the International Law Commission and approved by the General Assembly resolution 56/83 of 12 December 2001.
  26. James Crawford, “State Responsibility”, in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008), para 65.
  27. UN GGE 2015 'Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security report' (22 July 2015) UN Doc A/70/174, para 28(f); Tallinn Manual 2.0, commentary to rule 14, para 1. See also, e.g., Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated) (‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’); Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 1 (‘Any violation of [obligations under international law that apply to states in cyberspace] that is attributable to a state constitutes an internationally wrongful act, unless there is a ground for precluding the wrongfulness of an act recognised in international law’); United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017) (‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime’).
  28. ILC Articles on State Responsibility, Art 2.
  29. ILC Articles on State Responsibility, Arts 20-26.
  30. ILC Articles on State Responsibility, Arts 28, 30 and 31.
  31. ILC Articles on State Responsibility, Art. 4; Tallinn Manual 2.0, Rule 15. See also Attribution.
  32. Tallinn Manual 2.0, commentary to rule 4, para 13.
  33. For detailed analysis of these obligations, including the question of the breach of the prohibition of the use of force, see a similar fact pattern in Scenario 3 and Scenario 17. See also the Case Concerning Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Judgement (1986) at para 205 and the Tallinn Manual 2.0, Commentary to Rule 66, paras 15-18.
  34. ILC Articles on State Responsibility, Commentary, part 3 ch 2 at para 1.
  35. Australian Government, Australia's position on how international law applies to State conduct in cyberspace (2020).
  36. Austria, Pre-Draft Report of the OEWG - ICT: Comments by Austria (31 March 2020), stating that ‘a violation of the principle of State sovereignty constitutes an internationally wrongful act – if attributable to a State – for which a target State may seek reparation under the law of State responsibility. A target State may also react through proportionate countermeasures.’ (emphasis added).
  37. Government of Canada, International Law applicable in cyberspace (April 2022) para 34.
  38. Estonia, ‘President of the Republic at the opening of CyCon 2019’ (29 May 2019), stating that “states have the right to react to malicious cyber operations, including using diplomatic response but also countermeasures”
  39. French Ministry of the Armies, ‘International Law Applied to Operations in Cyberspace’ (9 September 2019) 6, stating that ‘In response to a cyberattack, France may consider diplomatic responses to certain incidents, countermeasures, or even coercive action by the armed forces if an attack constitutes armed aggression.’
  40. Germany, ‘Statement by Ambassador Dr Thomas Fitschen, Director for the United Nations, Cyber Foreign Policy and Counter-Terrorism, Federal Foreign Office of Germany’ (November 2018) 3, stating that ‘in case of a cyber operation that is in breach of an international legal obligation below the level of the use or threat of force prohibited by Art. 2 (IV) [of the UN Charter] States are also entitled to take countermeasures as allowed by international law.’
  41. Italian Ministry for Foreign Affairs and International Cooperation, 'Italian position paper on "International law and cyberspace"' (2021) 7-8.
  42. Japan, ‘Japan’s Position Paper for the Report of the United Nations Open-Ended Working Group on “Developments in the Field of Information and Telecommunications in the Context of International Security”’ (undated), stating that ‘Japan recognizes that basic rules on State responsibility including those on countermeasures applies to cyberspace.’
  43. Dutch Ministry of Foreign Affairs, ‘Letter to the parliament on the international legal order in cyberspace’ (5 July 2019) 7.
  44. New Zealand Foreign Affairs and Trade, The Application of International Law to State Activity in Cyberspace (1 December 2020) 3-4.
  45. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 72-73.
  46. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 84.
  47. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace (July 2022) 6.
  48. United Kingdom, ‘Statement on Other Disarmament Measures and International Security to the 72nd UNGA First Committee’ (23 October 2017), stating that ‘We reaffirm that the law of state responsibility applies to cyber operations in peacetime, including the availability of the doctrine of countermeasures in response to internationally wrongful acts.’
  49. Brian J. Egan, ‘Remarks on International Law and Stability in Cyberspace’ (10 November 2016), stating that countermeasures are available ‘to address malicious cyber activity’ if that activity amounts to a prior internationally wrongful act attributable to another State.
  50. Brazil, ‘Open-ended Working Group on developments in the field of information and telecommunications in the context of international security: Second Substantive Session - New York, 11 February 2020: Statement by the Delegation of Brazil’ (11 February 2020), stating that ‘In the case of malicious acts in cyberspace, it is often difficult to attribute responsibility to a particular State or actor with unqualified certainty. A decision to resort to countermeasures in response to such acts carries a high risk of targeting innocent actors, and of triggering escalation.’
  51. China, ‘Statement by the Chinese Delegation at the Thematic Debate of the First Committee of the 72th UNGA’ (October 2017), stating that ‘Countries should discuss application of international law in the manner conducive to maintain peace, avoid introducing force, deterrence and countermeasures into cyberspace, so as to prevent arms race in cyberspace and reduce risks of confrontation and conflicts.’
  52. Cuba, ‘Declaration by Miguel Rodríguez, Representative of Cuba, at the Final Session of Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security’ (23 June 2017), registering ‘serious concern over the pretension of some, reflected in para 34 of the draft final report, to convert cyberspace into a theater of military operations and to legitimize, in that context, unilateral punitive force actions, including the application of sanctions and even military action by States claiming to be victims of illicit uses of ICTs.’ (emphasis added).
  53. ILC Articles on State Responsibility, Art 49 para 1; Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 83.
  54. ILC Articles on State Responsibility, Art 52 para 1 subpara a). According to the UK Attorney General, the UK does not feel legally obliged, when taking countermeasures in response to a covert cyber intrusion, to “give prior notification to the hostile state”. UK Attorney General, Jeremy Wright QC MP, ‘Cyber and International Law in the 21st Century’.
  55. ILC Articles on State Responsibility, Art 28-41; the list of consequences includes (i) continued duty of performance, (ii) cessation and non-repetition, (iii) reparation, and (iv) particular consequences of a serious breach of obligations under peremptory norms of general international law.
  56. ILC Articles on State Responsibility, Art 52 para 1 subpara b) – Art 52 para 2.
  57. Government of Canada, International Law applicable in cyberspace (April 2022).
  58. Roy Schöndorf, Israel’s Perspective on Key Legal and Practical Issues Concerning the Application of International Law to Cyber Operations (8 December 2020).
  59. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 72-73.
  60. UK Attorney General, Jeremy Wright QC MP, ‘Cyber and International Law in the 21st Century’ (2018); United Kingdom Foreign, Commonwealth & Development Office, Application of international law to states’ conduct in cyberspace: UK statement (3 June 2021).
  61. Hon Paul C Ney, Jr., DOD General Counsel Remarks at U.S. Cyber Command Legal Conference (2 March 2020).
  62. See also Tallinn Manual 2.0, commentary to rule 21, paras 10–12.
  63. ILC Articles on State Responsibility, Art 49(1); Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 87. The list of consequences in Art 28-41 includes (i) continued duty of performance, (ii) cessation and non-repetition, (iii) reparation, and (iv) particular consequences of a serious breach of obligations under peremptory norms of general international law.
  64. ILC Articles on State Responsibility, Art 49(3).
  65. The position of the ILC has been followed by States in their national positions, including Australia, Brazil, Canada, Finland, France, Italy, the Netherlands, New Zealand, Norway, Russia, Sweden, Switzerland and the UK. For an alternative view on “forcible countermeasures” see Oil Platforms (Islamic Republic of Iran v. United States of America) Judgment, I.C.J. Reports 2003, 16, Separate Opinion of Judge Simma [12 and ff].
  66. ILC Articles on State Responsibility, Art 50(1).
  67. ILC Articles on State Responsibility, Art 50(2).
  68. Articles on State Responsibility, Art 51; Case Concerning the Gabčíkovo-Nagymaros Project (Hungary/Slovakia) (Judgment) 1997 ICJ Rep 7, para 85.
  69. See ILC Articles on State Responsibility, part 3, para 5; see also Tallinn Manual 2.0, commentary to rule 23, para 7.
  70. Government of Canada, International Law applicable in cyberspace (April 2022).
  71. Federal Government of Germany, ‘On the Application of International Law in Cyberspace’, Position Paper (March 2021) 13-14.
  72. Italian Ministry for Foreign Affairs and International Cooperation, ‘Italian position paper on "International law and cyberspace"’ (2021) 7-8.
  73. Ministry of Foreign Affairs of Japan, Basic Position of the Government of Japan on International Law Applicable to Cyber Operations (16 June 2021) 4-5.
  74. Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 72-73.
  75. Government Offices of Sweden, Position Paper on the Application of International Law in Cyberspace (July 2022) 6.
  76. Federal Department of Foreign Affairs, ‘Switzerland's position paper on the application of international law in cyberspace’ (May 2021) 6-7.
  77. Attorney General Jeremy Wright, Cyber and International Law in the 21st Century (23 May 2018); Attorney General Suella Braverman, International Law in Future Frontiers (19 May 2022).
  78. Brian J Egan, International Law and Stability in Cyberspace (10 November 2016) 21-22; Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 142.
  79. ILC Articles on State Responsibility, Art 52(3).
  80. ILC Articles on State Responsibility, Art 52(4).
  81. ILC Articles on State Responsibility, Art 53.
  82. ILC Articles on State Responsibility, Art 54. In the cyber context, scholarship supportive of notion of collective countermeasures includes Michael N Schmitt, ‘Estonia Speaks Out on Key Rules for Cyberspace’ (Just Security, 10 June 2019), considering the Estonian interpretation to be “an advantageous development in the catalogue of response options that international law provides to deal with unlawful acts”; see also Michael N Schmitt and Sean Watts, ‘Collective Cyber Countermeasures?’ (2021) 12 Harvard National Security Journal 373. Conversely, scholarship that has rejected this notion includes Jeff Kosseff, ‘Collective Countermeasures in Cyberspace’ (2020) 10(1) Notre Dame Journal of International & Comparative Law 18, 34; François Delerue, Cyber Operations and International Law (CUP 2020), 457.
  83. President of Estonia, Kersti Kaljulaid, ‘President of the Republic at the opening of CyCon 2019’ (29.05.2019); see also Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, UNODA, A/76/136 (August 2021) 28.
  84. New Zealand Foreing Affairs and Trade, The Application of International Law to State Activity in Cyberspace (1 December 2020) 3-4.
  85. Michael Schmitt, Three International Law Rules for Responding Effectively to Hostile Cyber Operations (Just Security, 31 July 2021)
  86. French Ministry of the Armies, International Law Applied to Operations in Cyberspace (9 September 2019) 10, arguing that collective countermeasures are not authorised under international law.
  87. Government of Canada, International Law applicable in cyberspace (April 2022) para 37.
  88. ILC Articles on State Responsibility, Commentary in Part 3, Chapter 2 on Art 49, para 3.
  89. ILC Articles on State Responsibility, Commentary to Part One, Chapter 5, para 8 (noting that “[i]n a bilateral dispute over State responsibility, the onus of establishing responsibility lies in principle on the claimant State”).
  90. See, eg, Trail Smelter case (United States v Canada) (Award) 1941 3 RIAA 1905, 1965; see also Robin Geiss and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace (NATO CCD COE 2013) 624 (noting that in cases where State responsibility is involved, the required threshold tends to shift towards ‘clear and convincing’”).
  91. James Green, ‘Fluctuating Evidentiary Standards for Self-Defence in the International Court of Justice’ (2009) 58 ICLQ 163, 167 (emphasis original).
  92. ILC Articles on State Responsibility, Commentary in Part 3, Chapter 2 on Art 49 para 3.
  93. Case Concerning the Gabčíkovo-Nagymaros Project (Hungary v. Slovakia), Judgement (1997) para 83; Tallinn Manual 2.0, Commentary to Rule 26, para 6.
  94. For an overview of possible technical methods of attribution, see Massimiliano Albanese and others, ‘Deceiving Attackers by Creating a Virtual Attack Surface’ in Sushil Jajodia and other (eds), Cyber Deception: Building the Scientific Foundation (Springer 2016) 150-151.
  95. Robin Geiss and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace (NATO CCD COE 2013) 625-626. At the same time, the basic principle is that in bilateral disputes, the onus to establish responsibility lies on the injured State. This places high demands on the injured State with respect to the process of attribution of a harmful conduct. See Evidentiary standards.
  96. There are some subjective elements in the realm of derivative responsibility discussed below (eg. aid or assistance or coercion). See James Crawford, State Responsibility: The General Part (CUP 2013) 405.
  97. Mary Ellen O'Connell, The Power & Purpose of International Law: Insights from the Theory & Practice of Enforcement (OUP 2008) 248.
  98. James Crawford, State Responsibility: The General Part (CUP 2013) 61. ILC Articles on State Responsibility, Commentary to Art. 2, at para 3. For an explanation of a different approach, see Giuseppe Palmisano, ‘Fault’, in Rüdiger Wolfrum (ed) Max Planck Encyclopedia of Public International Law (updated September 2007) para 6-14.
  99. For more details on function and preconditions of countermeasures in the domain of cyberspace, see Robin Geiss and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace (NATO CCD COE 2013) 628-644, and Tallinn Manual 2.0, Rules 20-25. Since countermeasures shall not affect the obligation to refrain from the threat or use of force, it would also be necessary to assess whether the destruction of a critical infrastructure in State C could not amount to the use of force. See Case Concerning Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Judgement (1986) para 249; ILC Articles on State Responsibility, Art. 50 para 1, letter a).
  100. For the application of the other conditions of countermeasures, see Scenario 06.
  101. Marko Milanovic, ‘Mistakes of Fact When Using Lethal Force in International Law: Part I’ (EJIL:Talk!), and the following parts.
  102. There are some subjective elements in the realm of derivative responsibility discussed below (eg. aid or assistance or coercion). See James Crawford, State Responsibility: The General Part (CUP 2013) 405.
  103. James Crawford, State Responsibility: The General Part (CUP 2013) 61; ILC Articles on State Responsibility, Commentary to Art. 2, para 3; Mary Ellen O'Connell. The Power & Purpose of International Law: Insights from the Theory & Practice of Enforcement (OUP 2008) 248. For an explanation of a different approach, see Giuseppe Palmisano, ‘Fault’, in Rüdiger Wolfrum (ed) Max Planck Encyclopedia of Public International Law (updated September 2007) para 6-14.
  104. François Delerue, Cyber Operations and International Law (CUP 2020), 228; Mary Ellen O'Connell. The Power & Purpose of International Law: Insights from the Theory & Practice of Enforcement (OUP 2008) 249; See also the argumentation in favour of “objectivist” approach in Marko Milanovic, ‘Mistakes of Fact When Using Lethal Force in International Law: Part II’ (EJIL:Talk!). There are few opinions that mistake of fact might qualify as a circumstance precluding wrongfulness, but often they are not further elaborated on. See for example Second report on State responsibility, by Mr. James Crawford, Special Rapporteur (1994, A/CN.4/498 and Add.1–4) para 262. An error has significant legal relevance in some other sub-fields of international law, for example as a ground for invalidity of international treaties - see Article 48 of the Vienna Convention on the Law of Treaties from 1969, or in context of international criminal law – see for example Art. 32 para 1 of the Rome Statute of the International Criminal Court from 1998. See an overview of state practice on the relevance of mistake of facts in various sub-fields of international law in Marko Milanovic, ‘Mistakes of Fact When Using Lethal Force in International Law: Part I’ (EJIL:Talk!), and the following parts.
  105. Mary Ellen O'Connell. The Power & Purpose of International Law: Insights from the Theory & Practice of Enforcement (OUP 2008) 249.
  106. In the context of self-defence, cf. Oil Platforms (Islamic Republic of Iran v. United States of America), ICJ, Judgement (2003) para 73. Mistakes and involuntary acts may constitute unlawful use of force. See also François Delerue, Cyber Operations and International Law (CUP 2020) 305.
  107. ILC Articles on State Responsibility, Commentary to Art. 49, para 3.
  108. ILC Articles on State Responsibility, Art. 4; Tallinn Manual 2.0, Commentary, Rule 20, para. 16.
  109. ILC Articles on State Responsibility, Commentary to Art. 49, para 3; François Delerue, Cyber Operations and International Law (CUP 2020) 438.

Bibliography and further reading[edit | edit source]

  • Christian Dominicé, ‘Attribution of Conduct to Multiple States and the Implication of a State in the Act of Another State’ in James Crawford and others (eds), The Law of International Responsibility (OUP 2010).
  • François Delerue, Cyber Operations and International Law (CUP 2020).
  • James Crawford, State Responsibility: The General Part (CUP 2013).
  • James Crawford, ‘State Responsibility’ in R Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008).
  • Jutta Brunnée, ‘Sic utere tuo ut alienum non laedas’ in Rüdiger Wolfrum (ed), Max Planck Encyclopedia of Public International Law (OUP 2008, updated March 2010)
  • Kristin E. Heckman and others, Cyber Denial, Deception and Counter Deception: A Framework for Supporting Active Cyber Defence (Springer 2015) - addressing deception as a strategy and technical method of resisting and eliminating cyber intrusions.
  • Marco Roscini, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 Texas International Law Journal 1.
  • Michael N Schmitt (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (CUP 2017).
  • Michael N Schmitt, ‘'Below the Threshold' Cyber Operations: The Countermeasures Response Option and International Law’ (2014) 54 Virginia Journal of International law 1.
  • Robin Geiss and Henning Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Katharina Ziolkowski (ed), Peacetime Regime for State Activities in Cyberspace (NATO CCD COE 2013)

Contributions[edit | edit source]

Previous: Scenario 20: Medical facilities Next: Scenario 22: Cyber methods of warfare
Retrieved from "https://cyberlaw.ccdcoe.org/wiki/Scenario_21:_Misattribution_caused_by_deception?oldid=3730"