Attribution to State of Cyber Operations Conducted by Non-State Actors

  • François DelerueEmail author


State-sponsored cyber operations constitute a real challenge for the law of State responsibility. One of the main issues is the impossibility in most cases, at least to date, to identify clearly the perpetrators of cyber operations, either individuals or State agents, and to determine whether their conducts are attributable to States or other subjects of international law. Most cyber operations generally alleged to be state-sponsored have not been clearly attributed to a State yet. International law cannot bring a solution to the technical problem of attribution. However, attribution cannot be limited to its technical aspects. Generally, attribution of cyber conducts has three different dimensions: firstly, the attribution to the machine from which the cyber operation was launched or had transited; secondly, the attribution to the person who conducted the cyber operations; and thirdly, the attribution to an aggregate entity, notably a State. The present Chapter focuses on attribution from an international law perspective, that is to say attribution of a conduct to a State or another subject of international law. More specifically, it focuses on the specific question of attribution of cyber operations conducted by non-state actors under the instructions, direction or control of the State.



I am grateful to the organisers and participants of the workshop “New Technologies as Shields and Swords: Legal Challenges for International, European, and Domestic Law” organised at the University of Parma on 19-20 June 2017 for the discussion and insightful comments. The views expressed are mine in my personal capacity. All errors and omissions remain of course mine.


  1. Abass, Ademola. 2007. Proving State Responsibility for Genocide: The ICJ in Bosnia v. Serbia and the International Commission of Inquiry for Darfur. Fordham International Law Journal 31: 871–910.Google Scholar
  2. Álvarez Ortega, Elena-Laura. 2015. The Attribution of International Responsibility to a State for Conduct of Private Individuals Within the Territory of Another State. InDret, 1–40Google Scholar
  3. Bakker, Christine, and Mirko Sossai, eds. 2012. Multilevel Regulation of Military and Security Contractors: The Interplay Between International, European and Domestic Norms. Oxford: Hart.Google Scholar
  4. BBC. 2008. Estonia Fines Man for “Cyber War”.
  5. Brenner, Susan W. 2007. “At Light Speed”: Attribution and Response to Cybercrime/Terrorism/Warfare. The Journal of Criminal Law and Criminology 97: 379–475.Google Scholar
  6. Cassese, Antonio. 2007. The Nicaragua and Tadić Tests Revisited in Light of the ICJ Judgment on Genocide in Bosnia. European Journal of International Law 18: 649–668.CrossRefGoogle Scholar
  7. Clark, David, Thomas Berson, and Herbert S. Lin, eds. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: National Academies Press.Google Scholar
  8. Clover, Charles. 2009. Kremlin-Backed Group Behind Estonia Cyber Blitz. Financial Times.
  9. De Frouville, Olivier. 2010. Attribution of Conduct to the State: Private Individuals. In The Law of International Responsibility, ed. Alain Pellet et al., 257–280. Oxford: Oxford University Press.Google Scholar
  10. De Hoogh, André. 2002. Articles 4 and 8 of the 2001 ILC Articles on State Responsibility, the Tadić Case and Attribution of Acts of Bosnian Serb Authorities to the Federal Republic of Yugoslavia. British Yearbook of International Law 72: 255–292.CrossRefGoogle Scholar
  11. Francioni, Francesco. 2011. The Role of the Home State in Ensuring Compliance with Human Rights by Private Military Contractors. In War by Contract: Human Rights, Humanitarian Law, and Private Contractors, ed. Francesco Francioni and Natalino Ronzitti, 93–110. Oxford: Oxford University Press.CrossRefGoogle Scholar
  12. Francioni, Francesco, and Natalino Ronzitti, eds. 2011. War by Contract: Human Rights, Humanitarian Law, and Private Contractors. Oxford: Oxford University Press.Google Scholar
  13. Griebel, Jörn, and Milan Plücken. 2008. New Developments Regarding the Rules of Attribution? The International Court of Justice’s Decision in Bosnia v. Serbia. Leiden Journal of International Law 21: 601–622.CrossRefGoogle Scholar
  14. International Law Commission (ILC). 2001. Commentary to the Articles on State Responsibility. ILC Yearbook (Part II) 2: 31–143.Google Scholar
  15. Klabbers, Jan. 2013. International Law. Cambridge: Cambridge University Press.CrossRefGoogle Scholar
  16. Kreß, Claus. 2001. L’organe de facto en droit international public: Réflexions sur l’imputation à l’etat de l’acte d’un particulier à la lumière du développements récents. Revue Générale de Droit International Public 105: 93–144.Google Scholar
  17. Landau, Susan, and David D. Clark. 2010. Untangling Attribution. In Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy, 25–40. Washington, DC: National Academies Press; Committee on Deterring Cyberattacks: Informing Strategies and Developing Options.Google Scholar
  18. Lehnardt, Chia. 2007. Private Military Companies and State Responsibility. In From Mercenaries to Market: The Rise and Regulation of Private Military Companies, ed. Simon Chesterman and Chia Lehnardt, 129–157. Oxford: Oxford University Press.Google Scholar
  19. Lindau, Katri. 2012. Cyber Security in Estonia: Lessons from the Year 2007 Cyberattack. Tallinn University.Google Scholar
  20. Mahiou, Ahmed. 2009. Le droit international ou la dialectique de la rigueur et de la flexibilité: cours général de droit international. Le Recueil des Cours de l’Académie de Droit International de La Haye 337: 9–516.Google Scholar
  21. Milanovic, Marko. 2006. State Responsibility for Genocide. European Journal of International Law 17: 553–604.CrossRefGoogle Scholar
  22. ———. 2009. State Responsibility for Acts of Non-State Actors: A Comment on Griebel and Plücken. Leiden Journal of International Law 22: 307–324.CrossRefGoogle Scholar
  23. Ottis, Rain. 2008. Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective. In Proceedings of the 7th European Conference on Information Warfare and Security, Plymouth, 163–168.Google Scholar
  24. Palchetti, Paolo. 2010. De Facto Organs of a State. Max Planck Encyclopedia of Public International Law.
  25. Radio Free Europe/Radio Liberty. 2009. Behind The Estonia Cyberattacks.
  26. RIA Novosti. 2007. Estonia Has No Evidence of Kremlin Involvement in Cyber Attacks.
  27. Roscini, Marco. 2010. World Wide Warfare - Jus ad bellum and the Use of Cyber Force. Max Planck Yearbook of United Nations Law 14: 85–130.CrossRefGoogle Scholar
  28. ———. 2015a. Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations. Texas International Law Journal 50: 233–273.Google Scholar
  29. ———. 2015b. Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations. In Cyber War: Law and Ethics for Virtual Conflicts, ed. Claire Finkelstein, Jens David Ohlin, and Kevin Govern, 215–248. Oxford: Oxford University Press.Google Scholar
  30. Schmitt, Michael N., ed. 2013. The Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge: Cambridge University Press.Google Scholar
  31. Shackelford, Scott. 2009. From Nuclear War to Net War: Analogizing Cyber Attacks in International Law. British Journal of International Law 27: 192–251.Google Scholar
  32. Shaw, Malcolm N. 2014. International Law. 7th ed. Cambridge: Cambridge University Press.Google Scholar
  33. Tait, Matt. 2016. On the Need for Official Attribution of Russia’s DNC Hack. Lawfare.
  34. Talmon, Stefan. 2009. The Responsibility of Outside Powers for Acts of Secessionist Entities. International & Comparative Law Quarterly 58: 493–517.CrossRefGoogle Scholar
  35. Tikk, Eneken, and Kadri Kaska. 2010. Legal Cooperation to Investigate Cyber Incidents: Estonian Case Study and Lessons. In 9th European Conference on Information Warfare and Security, Thessaloniki, Greece, 288–294.Google Scholar
  36. Tikk, Eneken, Kadri Kaska, and Liis Vihul. 2010. International Cyber Incidents: Legal Considerations. NATO Cooperative Cyber Defence Centre of Excellence.
  37. Tonkin, Hannah. 2011. State Control Over Private Military and Security Companies in Armed Conflict. Cambridge: Cambridge University Press.CrossRefGoogle Scholar
  38. Tougas, Marie-Louise. 2012. Droit international, sociétés militaires privées et conflit armé: Entre incertitudes et responsabilités. Bruxelles: Bruylant.Google Scholar
  39. Tsagourias, Nicholas. 2012. Cyber Attacks, Self-defence and the Problem of Attribution. Journal of Conflict and Security Law 17: 229–244.CrossRefGoogle Scholar
  40. Woltag, Johann-Christof. 2014. Cyber Warfare: Military Cross-Border Computer Network Operations Under International Law. Cambridge: Intersentia.CrossRefGoogle Scholar

Copyright information

© Springer Nature Switzerland AG 2019

Authors and Affiliations

  1. 1.Institut de recherche stratégique de l’École militaire (IRSEM)ParisFrance

Personalised recommendations