For a while now, scholarly discussions on cyber-attacks have centered around the challenges in attributing any cyber-attack to a nation-state. This is with good reason and no one explains these reasons better than Joel Brenner who observed that “the Internet is one big masquerade ball. You can hide behind aliases, you can hide behind proxy servers, and you can surreptitiously enslave other computers without their owners’ knowledge— and then use their computers to do your dirty work.Footnote 1

Cyberspace presents a vast array of tools for concealment and disguise. Today, any person can impersonate another computing system (IP spoofing)Footnote 2, anonymize communication through layers of encryption (onion routing)Footnote 3 and even prevent reverse engineering and deliver untraceable code (obfuscating log files)Footnote 4. These are merely a few techniques among several that enable actors to commit malicious cyber acts with impunity, including nation states.

However, while these issues do make it difficult for public attribution, i.e., a government publicly calling out the perpetrator-state, they present an even larger challenge to the victim state legally proving its claims in an international judicial forum. After all, the next step to identifying the perpetrator is claiming remedies and this can only be done once the victim State is able to prove its claims in accordance with evidentiary standards in international law.

Given that states now accept that international law applies to cyberspaceFootnote 5, this article first discusses the limitations in public attribution and highlights the need for using legal fora for redressal in cases involving cyber-attacks. This is followed by an examination of the existing requirements and treatment of evidence in international law for international wrongs and teases out the evidentiary thresholds that states will be required to meet to show an international wrong in cyberspace. The article concludes that while it is likely that international judicial forums will not relax standards of proof to accommodate the obvious cyber-challenges, circumstantial evidence is available as a potentially viable route to prove a violation. Since state to state disputes have been more commonly addressed in the International Court of Justice (“ICJ / Court”), this article will rely on the standards used by the ICJ, while also pointing out a few decisions by other international judicial forums as well.

To be clear, the article primarily deals with standards of proof and methods of proof, both of which must be distinguished from rules of attribution in international law. While the standard of proof deals with the quantum of evidence required to prove a claim, rules of attribution deal with the level of control exercised by the State over a non-state actor that caused the violation.Footnote 6 These rules of attribution primarily find their source in Article 8 of the Articles of Responsibility of States in Internationally Wrongful ActsFootnote 7 (“Articles of State Responsibility”) as well as the extremely strict “effective control” test formulated by the ICJ in Nicaragua v. United States (“Nicaragua”) and the slightly lower standard of “overall control” formulated by the International Criminal Tribunal for the former Yugoslavia in Prosecutor v. Tadic (“Tadic”). In the cyber domain, new tests are being proposed such as the “control and capabilities” test which is supposedly based on recent state practice in public attribution of cyber-attacks and is one that has an even lower threshold than the overall control test.Footnote 8 While a discussion on these evolving tests is certainly important in the cyber domain, it is worthwhile to point out that these tests of attribution should not be conflated with the standards of proof that states’ evidence must meet to prove their claims.

1 Limitations of public attribution and the need for legal attribution

Public attribution, the practice of calling out perpetrators of malicious cyber activities, is currently among the few tools of deterrence available in cyberspace. While recent times have seen several private entities with technical expertise such as MandiantFootnote 9 and CrowdStrikeFootnote 10 enter the fray by not only investigating and tracing the malicious activity to the perpetrators, but also publicly reporting details of their investigations, this discussion will be limited to instances of public attribution by governments. Public attribution by governments largely consists of statements issued by officials with various levels of formality.Footnote 11 It is perceived as having several benefits including exposing errant statesFootnote 12 and driving vulnerable targets to providers to bolster their networksFootnote 13, besides calling public attention to malicious activity in cyberspace. It has particular use in forcing states to draw “red lines” on norms and violations in cyberspace, thereby also contributing to the growth of much needed opinio juris in cyberspace.

However, a state that has been victim to a cyber-attack has to also be able to resort to legal remedies since the benefits of public attribution, though important, are still limited.Footnote 14 While the exercise of naming and shaming can contribute to opinio juris, the repeated involvement of only a handful of states willing to engage in public attribution as well as the lack of any real costs or measures being imposed on the accused state besides the naming and shaming, limits its efficacy as a tool to deter future cyber malicious activity in the international community.Footnote 15

Pursuing legal remedies in an international legal forum, on the other hand, can result in tangible benefits such as injunctions and reparations as well as serve as strong reminders to states that cyber mal-activities have real consequences.

Further, judicial determinations in international legal fora ordinarily result from a rigorous process that grants them legitimacy and renders them trustworthy, which can be hard to achieve through public attribution in its present form, chiefly consisting of one-sided accusations by the victim state, often with vocal support from its allies, followed by dismissive denials by the accused state. For instance, the collective public attribution to Russia by the United States, the United Kingdom and the Netherlands for attempting to hack the Organisation for the Prohibition of Chemical Weapons (OPCW) elicited a dismissive Russian response, terming the joint action as “Western spymania” and that it was the victim of “yet another stage-managed propaganda campaign”.Footnote 16

Also, even though the 2015 Report of the United Nations Group of Governmental Experts (UNGGE) expressly provides that accusations of organizing and implementing wrongful acts brought against States should be substantiatedFootnote 17, states have expressed contrary views. For instance, Brian Egan, the then Legal Advisor to the State Department in the United States, stated that while states may choose to do so, there exists no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action.Footnote 18 Even in the largest yet exercise of collective attribution in which several countries (the United States, Australia, the United Kingdom and many EU countries including Poland, Estonia, Lithuania, the Czech Republic and Denmark) all named Russia as responsible for the cyber-attacks on GeorgiaFootnote 19, thereby giving the impression that there was a strong basis for the allegations, no evidence was publicly disclosed. Refusal to produce evidence can often be perceived as lack of evidence further exacerbating distrust and undermine confidence in claims of public attribution, thereby negating any beneficial outcomes. Hence, it becomes necessary to look at other ways and means of achieving tangible outcomes in disputes involving cyber-attacks, such as legal redressal. For a state to take legal action against another state in an international legal forum for harm caused to it by a malicious cyber activity, it will necessarily have to meet the required evidentiary standards of proof in international law.

2 Standards of proof in international law

The highest standard of evidence in law is posited by domestic criminal law which demands proof beyond reasonable doubt, while civil cases in most common law jurisdictions only require proof by a preponderance of evidence or balance of probabilities, i.e., a more likely than not standard. While some scholars note that the nature of international litigation between states in a forum such as the ICJ is more comparable to civil litigation than criminal,Footnote 20 the Court has typically refrained from laying down any particular standard of proof in the cases dealt by it, preferring to determine causality and responsibility on a case by case basis.

Portions of the Court’s decisions concerning the evidence presented before it shed some light on the prevailing standards of proof in international law considered by it. For instance, in Bosnia and Herzegovina v. Serbia and Montenegro (“Bosnian Genocide case”) in which Bosnia alleged that Serbia contributed to and failed to prevent and punish acts of genocide, the Court stated that “ against a State involving charges of exceptional gravity must be proved by evidence that is fully conclusiveFootnote 21 indicating that the standard of proof in cases of exceptional gravity such as genocide was that of “fully conclusive” evidence.

However, for cases involving use of force, the Court has used different terminology. For instance, the Court in Nicaragua explicitly states that it had to ensure that “the facts on which [the claim of the party appearing] is based [is] supported by convincing evidence”Footnote 22 and that there was “no clear evidence of the United States having actually exercised such a degree of control in all fields as to justify treating the contras as acting on its behalf.”Footnote 23 Again, in Democratic Republic of Congo Vs Uganda (“Armed Activities case”) the Court kept referring to evidence that must be “convincingly established” or terms such as “convincing evidence” or “sufficient and convincing evidence” in the context of proving allegations of use of force.Footnote 24 So the inference vis-à-vis standards of proof is that for violations of exceptional gravity, “fully conclusive” evidence is required and for lesser violations, at least “clear and convincing” evidence is required. Both these standards set high evidentiary bars to reach.

Where does this leave cyber-attacks? Given these high evidentiary thresholds, how is any victim-state supposed to prove that the perpetrator state carried out an international wrong in cyberspace, with all its vagaries including concealment and disguising issues?

Ongoing efforts to examine issues in application of international law to cyberspace also do not address these issues. The International Group of Experts (IGE) tasked with creating a Manual on the Law of Cyberwarfare under the aegis of the NATO Cooperative Cyber Defence Centre of Excellence, and whose work resulted in the Tallinn Manual 1.0 and the Tallinn Manual 2.0, also did not discuss the standards and methods of proof in international law applicable for cyber-norm violations, instead leaving them to be “determined by the relevant forum”.Footnote 25 They were not wrong to do so, given that the constituting instruments of most international courts usually leave it to the court to determine issues of burden and standards of proof as well as rules of evidence on their own.Footnote 26 However, significantly, the IGE in the Tallinn Manual 1.0 do opine that a cyber-attack originating from a state’s governmental cyber infrastructure, while not sufficient to attribute the cyber-attack to that government, is an indication that the state in question is associated with the operation.Footnote 27 Even though the Tallinn Manual 1.0 also notes the dangers of spoofing and disclaims that this rule be used to pre-determine evidentiary conclusions as to attribution, if applied by states, it could give rise to a rebuttable presumption that the state from whose governmental cyber infrastructure the attack as launched was involved with the attack.Footnote 28 If and when accepted by states, this would be an important development since it could significantly ease proving cyber-attacks. However, as the Tallinn Manuals stand currently, they are considered by states as more of a “starting point of a conversation” than an authoritative text.Footnote 29

In any case, scholars have advised against the lowering of the standard of proof in the cyber-context simply on account of identification and attribution issues.Footnote 30 As Roscini aptly puts it, the standard of proof exists not to disadvantage the claimant but to protect the respondent against false attribution, an all-too-present danger in the cyber-domain.Footnote 31 But while this cautious approach generally bodes well to prevent states from being framed or mistakenly held responsible, it still does nothing to solve the problem of attribution in the cyber-domain, which is plagued by problems of a general lack of evidence and when it exists, the evidence being controlled by another state’s territory. However, as discussed in the next section, one viable route appears to be in the proper accumulation of and use of indirect or circumstantial evidence, currently the main form of evidence available in the cyber-domain.

3 Circumstantial evidence in cyberspace

Evidence is of two types –(i) Direct and (ii) Indirect or Circumstantial. While direct evidence establishes a conclusion, circumstantial evidence is commonly understood as evidence that establishes facts and circumstances from which reasonable inferences can be drawn to reach a conclusion. Today, the nature of digital forensic evidence and other intelligence available post any cyber-attack is circumstantial inasmuch as it only gives rise to inferences that can together lead to a conclusion. For instance, while investigating the source of Stuxnet, a malware that was designed to sabotage Iran’s nuclear enrichment facilityFootnote 32, analysts took into account various facts including an article published by a former US intelligence officer one year prior to Stuxnet being discovered, outlining a strategic cyber strike against centrifuges, and the high level of sophistication in the software to conclude that the US government was involved.Footnote 33 Another example is the United States indictment of the 5 PLA members in United States v. Wang Dong et al., which was partly based on identifying signatures or hallmarks in the malware, in addition to the time pattern of their activities corresponding with the business hours in Shanghai.Footnote 34

4 The Corfu Channel rule: when circumstantial evidence was “Good Enough”

As far as international law is concerned, circumstantial evidence is commonly used and has sometimes even been sufficient to find states responsible for violations. In the very first dispute before it, the Corfu Channel case, the ICJ had to deal with issues involving circumstantial evidence provided by the United Kingdom (“UK”) and exclusive control of evidence by Albania. In the case, the UK alleged that Albania had knowledge of and failed in its obligation to warn the UK of the mines in its channel which struck two UK warships. With regard to the indirect or circumstantial evidence provided by the UK, the Court ruled that “proof may be drawn from inferences of fact provided they leave no room for reasonable doubt”.Footnote 35 After acknowledging that the UK did not have access to evidence that was within Albania’s exclusive territorial control and was hence disadvantaged by it, the Court allowed it a “more liberal recourse to inferences of fact and circumstantial evidence.”Footnote 36 By establishing that Albania closely guarded the channel waters, could observe the mine-laying from the Albanian coast, and providing evidence of previous Albanian mine-sweep operations, the UK was able to establish “a series of facts linked together and leading logically to a single conclusionFootnote 37 that in the Court’s opinion left “no room for reasonable doubt” that Albania knew about the mines in the channel,Footnote 38 and hence, violated its obligation to warn the UK. Other facts that corroborated the UK’s claim included a declaration by the Albanian delegate in the Security Council and diplomatic notes from Albania on the passage of ships through its territorial waters.Footnote 39

The Corfu Channel case shows that the Court allows “recourse to liberal inferences of fact and circumstance” to prove state responsibility when (a) the relevant direct evidence is within the exclusive territorial control of another state and (b) the circumstantial evidence furnished is consistent with or does not contradict any direct evidence produced.Footnote 40 But cyber attribution experts would do well to note that it was simply the method of proof that was relaxed in this case, and not the standard of proof. Even in cases where such circumstantial evidence is allowed to be adduced, it would still have to sufficiently meet the requisite standard of proof or threshold, which in the Corfu Channel case was characterized as “no room for reasonable doubt”. Hence, applying this to the cyber-domain can mean that the lack of evidence could allow for a lower method of proof, but the standard of proof remains high.

While the Corfu Channel rule is regularly cited as the prevailing standard on the treatment of circumstantial evidence in international law, the ICJ’s Bosnian Genocide case is often cited as the decision in which the Court rejected the argument that circumstantial evidence was sufficient to fix state responsibility. But the Court’s ruling in this case was for different reasons.

5 The Bosnian Genocide case: when circumstantial evidence was not “Good Enough”

In the Bosnian Genocide case, Bosnia and Herzegovina alleged that Serbia had violated the prohibition on genocide under the Genocide Convention and had also failed in its obligation to prevent and punish the perpetrators of genocide.Footnote 41 Similar to the UK in Corfu Channel, Bosnia also argued that Serbia had exclusive territorial control over the territory making it almost impossible for it to produce direct evidence showing Serbian complicity and that the Court should allow Bosnia to make liberal inferences of fact and circumstance from patterns of evidence to hold Serbia responsible for and also having the specific intent of carrying out the genocideFootnote 42, i.e., the Court should use circumstantial evidence to come to a positive finding of specific intent on Serbia’s part. But the Court refused to do so and held that for the requisite intent to be proven, any pattern of conduct would have to “be such that it could only point to the existence of such intent.”Footnote 43

With regard to the Court rejecting circumstantial evidence in this instance, a number of factors played a role. One factor was that Serbia presented a lot of direct evidence to the contrary, such as witness statements. The ICJ also relied on the ICTY’s judgements which contained findings of fact that went against what Bosnia was trying to prove.Footnote 44 Given this, it is hard to take the view that the Court has moved away from the Corfu rule on circumstantial evidence. Clearly the Court prefers direct evidence, as would any judicial forum, but this is not to say that in cases where such direct evidence may be absent either due to technical difficulties or the refusal of a party to produce it, the Court will not turn to circumstantial evidence.

6 Other international legal Jurisprudence

Circumstantial evidence has also found common use in other international forums. For instance, the Eritrea-Ethiopia Claims Commission in its Partial Award for the Central Front, Involving Eritrea’s Claims 2, 4, 6, 7, 8, and 22,Footnote 45 held Ethiopia liable on the basis of the testimony of a civilian who testified that a cemetery that had been undamaged before he fled the village before Ethiopian troops arrived, was found destroyed after he returned. The inference from this testimony, together with the fact that the village was under Ethiopian control, was used by the Commission to conclude that Ethiopia responsible.Footnote 46

Similarly, the NAFTA tribunal in Methanex v. United States was “not averse to trying to connect the dotsFootnote 47 put forth by Methanex to examine whether they led to the “most compelling of possible explanations of eventsFootnote 48 and conclude that the United States was in violation of its obligations under the NAFTA. While the Tribunal ultimately concluded that the “dots” together did not point to liability on the part of the United StatesFootnote 49, it is a good example of the use of inferences or circumstantial evidence in international law, particularly since the NAFTA tribunal relied on the same sources of law as the ICJ, specified in Article 38(1) of the ICJ Statute.Footnote 50

7 Cyberspace attribution: current status in brief

Most digital forensic data available to analysis experts in the aftermath of cyber-attacks are in the form of IP addresses, email addresses, domain names, hashes, etc. which are analysed to answer the what, how, who and why questions. Much of this currently involves educated guesswork which includes examining samples such as malware or custom tools found in the affected cyber-infrastructure, or identifying language and content patterns found in phishing emails, determining locations of servers and so on to answer the what and how questions. This then needs to be viewed in combination with other evidence typically obtained from signals intelligence, human intelligence, etc. to form a clearer picture of the who and why questions.

For instance, the US indictment of 5 PLA members in United States v. Wang Dong, et al. was based, apart from digital forensic data including patterns in spear-phishing emails, on facts such as the target / victim companies all having significant economic or business interests in China as well as the period of activity by the accused corresponding to business hours in Shanghai.Footnote 51 While this is an example of the use of the “connect the dots” method in cyber violations, it happens to be a far cry from the “fully conclusive”, “clear and convincing” or the “no room for reasonable doubt” standards of evidence required in state-to-state litigation. Indeed, the indictment is only the first step in domestic criminal proceedings and even within the United States, the accused in this case are innocent until they are proven guilty in a court of law.

In the cyber sphere itself, there have so far been multiple private investigative attempts to attribute cyber-attacks or identify malicious cyber actors. Some examples are the Project Grey Goose Report on the Georgia DDOS attacks which indicates that the attacks originated from Russia and that they were also possibly supported by the Russian governmentFootnote 52, and the Mandiant Report which traces and identifies a cyber unit in the PLA as the main perpetrator in multiple cyber-attacks and cyber-espionage in the United States.Footnote 53 Despite the technical detail in these Reports, the connections drawn by them from inferences or “dots”, so to speak, to link the perpetrators to the states, are tenuous and not likely to meet legal thresholds. At best, these reports may be viewed as corroborative evidence and are otherwise not likely to withstand scrutiny in any international judicial forum.

8 Circumstantial evidence in context

Having noted that gathering circumstantial evidence is difficult, let us contextualize the use of circumstantial evidence to prove state responsibility in the cyber-domain. Taking the malicious cyber-activity in one of India’s nuclear reactors at Kudankulam as an example, investigations have reportedly revealed that (i) the attack was traced to a computer model that is produced in and only used in North Korea, (ii) that the MAC and IP addresses bear North Korean signatures, (iii) that the Korean language was used in the code, (iv) the malignant code corresponded with a previous cyber-attack on South Korea’s banks that was also attributed to North Korea and lastly (v) that the code is a variant of the “Dtrack” malware known to be associated with the Lazarus Group believed to be composed of North Koreans.Footnote 54 Add to the mix other “circumstances” such as the highly state-controlled nature of North Korean cyberspace and reports of a cyber-warriors trained by the North Korean government used to carry out similar cyber espionage operations in different countries. Based on this information, it is certainly tempting to point the finger at the North Korean government for the Kudankulam cyber-attack and many have.Footnote 55

But still, by itself this evidence is not likely to achieve much at the ICJ. It is doubtful that these facts, even if proved, would be construed as constituting “a series of facts linked together and leading logically to a single conclusion” leaving “no room for reasonable doubt” as in the Corfu Channel case. India would not just have to prove that the malware was traced to North Korea, she would also be required to negate the possibilities of IP spoofing, code-mimicking and other modes of concealment and disguise in cyberspace since it will bear the burden of proving its claim. In fact, if it were to rely on this kind of circumstantial evidence, India might also be required to prove facts such as the malware being of a kind that only the North Korean government possesses and uses with no reasonable possibility of any other actor having access to it, and that the North Korean government stands the most to gain to the exclusion of any other state or actor. Obviously this is a very high burden on any state. Considering most of the evidence is likely to be in the exclusive control of North Korea, would India be allowed liberal recourse to facts and circumstance? Possibly. But such recourse would still be circumscribed by the requirement of meeting the high “no room for reasonable doubt” standard. And it is that high standard that India is not likely to meet, unless more evidence sees the light of the day.

9 Conclusion

Despite the law almost never functioning within the boundaries of absolute certainty, it is apparent that the “good enough” standard currently touted as sufficient for public attribution or for taking countermeasuresFootnote 56 is definitely not going to cut it for states that wish to seek reparations or other legal reliefs in any international court, particularly the ICJ. Even the Tallinn Manual 2.0 recognizes this when it cautions that if the conclusion as to attribution proves to be flawed, the State responding to the cyber-attack with countermeasures will itself have committed an internationally wrongful act.Footnote 57 As for ongoing efforts to lower the threshold for attribution in case of non-state actors from the prevailing test of “effective control” to the test of “overall control” or even form entirely new tests such as the “control and capabilities” test, it should be noted that no matter what the attributive test, the evidentiary standard of proof remains high and the methods of proof in cyberspace difficult to navigate.

Rapid modernization, along with the ongoing Covid-19 pandemic, has both spurred and highlighted the importance of the digital world as well as its supporting infrastructure. It is no surprise that cyber operations are currently high on the agenda for most States. Estonia’s recent presidency of the United Nations Security Council saw cyber-attacks being raised for the first time as an issue at the Security Council.Footnote 58 In a bid to stay ahead, States are racing against technological progress by attempting to identify norms for responsible state behaviour in cyberspace. This effort has already led to broad agreement (barring a few States) that conventional jus in bello or the law of war is applicable to cyberspace and cyber-attacks.Footnote 59 There is also broad consensus that concepts of jus ad bellum such as the prohibition of the threat or use of force and the right to self-defence under Article 2(4) and Article 51 of the United Nations Charter, 1945, respectively, are also applicable to cyberspace.Footnote 60 Even though States are still in the process of agreeing on the modalities of how these rules apply, surely there can be little question that the evidentiary rules of proving the violation of these obligations must simultaneously receive serious consideration. After all, standards of proof and methods of proof are not decided by States, but the judicial forum deciding contesting claims. As States engage in the all-important task of fleshing out the rules for applying conventional legal obligations in cyberspace, it is important for them to bear these issues in mind. Technical experts and strategists involved at all levels of attribution must necessarily be mindful of evidentiary hurdles so they may be guided in determining how much information / evidence is required to make attribution meaningful.