Attribution to State of Cyber Operations Conducted by Non-State Actors
- 283 Downloads
State-sponsored cyber operations constitute a real challenge for the law of State responsibility. One of the main issues is the impossibility in most cases, at least to date, to identify clearly the perpetrators of cyber operations, either individuals or State agents, and to determine whether their conducts are attributable to States or other subjects of international law. Most cyber operations generally alleged to be state-sponsored have not been clearly attributed to a State yet. International law cannot bring a solution to the technical problem of attribution. However, attribution cannot be limited to its technical aspects. Generally, attribution of cyber conducts has three different dimensions: firstly, the attribution to the machine from which the cyber operation was launched or had transited; secondly, the attribution to the person who conducted the cyber operations; and thirdly, the attribution to an aggregate entity, notably a State. The present Chapter focuses on attribution from an international law perspective, that is to say attribution of a conduct to a State or another subject of international law. More specifically, it focuses on the specific question of attribution of cyber operations conducted by non-state actors under the instructions, direction or control of the State.
I am grateful to the organisers and participants of the workshop “New Technologies as Shields and Swords: Legal Challenges for International, European, and Domestic Law” organised at the University of Parma on 19-20 June 2017 for the discussion and insightful comments. The views expressed are mine in my personal capacity. All errors and omissions remain of course mine.
- Abass, Ademola. 2007. Proving State Responsibility for Genocide: The ICJ in Bosnia v. Serbia and the International Commission of Inquiry for Darfur. Fordham International Law Journal 31: 871–910.Google Scholar
- Álvarez Ortega, Elena-Laura. 2015. The Attribution of International Responsibility to a State for Conduct of Private Individuals Within the Territory of Another State. InDret, 1–40Google Scholar
- Bakker, Christine, and Mirko Sossai, eds. 2012. Multilevel Regulation of Military and Security Contractors: The Interplay Between International, European and Domestic Norms. Oxford: Hart.Google Scholar
- BBC. 2008. Estonia Fines Man for “Cyber War”. http://news.bbc.co.uk/2/hi/technology/7208511.stm.
- Brenner, Susan W. 2007. “At Light Speed”: Attribution and Response to Cybercrime/Terrorism/Warfare. The Journal of Criminal Law and Criminology 97: 379–475.Google Scholar
- Clark, David, Thomas Berson, and Herbert S. Lin, eds. 2014. At the Nexus of Cybersecurity and Public Policy: Some Basic Concepts and Issues. Washington, DC: National Academies Press.Google Scholar
- Clover, Charles. 2009. Kremlin-Backed Group Behind Estonia Cyber Blitz. Financial Times. http://www.ft.com/cms/s/0/57536d5a-0ddc-11de-8ea3-0000779fd2ac.html#axzz2TBcey8a5.
- De Frouville, Olivier. 2010. Attribution of Conduct to the State: Private Individuals. In The Law of International Responsibility, ed. Alain Pellet et al., 257–280. Oxford: Oxford University Press.Google Scholar
- Francioni, Francesco. 2011. The Role of the Home State in Ensuring Compliance with Human Rights by Private Military Contractors. In War by Contract: Human Rights, Humanitarian Law, and Private Contractors, ed. Francesco Francioni and Natalino Ronzitti, 93–110. Oxford: Oxford University Press.CrossRefGoogle Scholar
- Francioni, Francesco, and Natalino Ronzitti, eds. 2011. War by Contract: Human Rights, Humanitarian Law, and Private Contractors. Oxford: Oxford University Press.Google Scholar
- International Law Commission (ILC). 2001. Commentary to the Articles on State Responsibility. ILC Yearbook (Part II) 2: 31–143.Google Scholar
- Kreß, Claus. 2001. L’organe de facto en droit international public: Réflexions sur l’imputation à l’etat de l’acte d’un particulier à la lumière du développements récents. Revue Générale de Droit International Public 105: 93–144.Google Scholar
- Landau, Susan, and David D. Clark. 2010. Untangling Attribution. In Proceedings of a Workshop on Deterring Cyber Attacks: Informing Strategies and Developing Options for U.S. Policy, 25–40. Washington, DC: National Academies Press; Committee on Deterring Cyberattacks: Informing Strategies and Developing Options.Google Scholar
- Lehnardt, Chia. 2007. Private Military Companies and State Responsibility. In From Mercenaries to Market: The Rise and Regulation of Private Military Companies, ed. Simon Chesterman and Chia Lehnardt, 129–157. Oxford: Oxford University Press.Google Scholar
- Lindau, Katri. 2012. Cyber Security in Estonia: Lessons from the Year 2007 Cyberattack. Tallinn University.Google Scholar
- Mahiou, Ahmed. 2009. Le droit international ou la dialectique de la rigueur et de la flexibilité: cours général de droit international. Le Recueil des Cours de l’Académie de Droit International de La Haye 337: 9–516.Google Scholar
- Ottis, Rain. 2008. Analysis of the 2007 Cyber Attacks Against Estonia from the Information Warfare Perspective. In Proceedings of the 7th European Conference on Information Warfare and Security, Plymouth, 163–168.Google Scholar
- Palchetti, Paolo. 2010. De Facto Organs of a State. Max Planck Encyclopedia of Public International Law. http://opil.ouplaw.com/home/EPIL.
- Radio Free Europe/Radio Liberty. 2009. Behind The Estonia Cyberattacks. http://www.rferl.org/content/Behind_The_Estonia_Cyberattacks/1505613.html.
- RIA Novosti. 2007. Estonia Has No Evidence of Kremlin Involvement in Cyber Attacks. http://en.ria.ru/world/20070906/76959190.html.
- ———. 2015a. Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations. Texas International Law Journal 50: 233–273.Google Scholar
- ———. 2015b. Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations. In Cyber War: Law and Ethics for Virtual Conflicts, ed. Claire Finkelstein, Jens David Ohlin, and Kevin Govern, 215–248. Oxford: Oxford University Press.Google Scholar
- Schmitt, Michael N., ed. 2013. The Tallinn Manual on the International Law Applicable to Cyber Warfare. Cambridge: Cambridge University Press.Google Scholar
- Shackelford, Scott. 2009. From Nuclear War to Net War: Analogizing Cyber Attacks in International Law. British Journal of International Law 27: 192–251.Google Scholar
- Shaw, Malcolm N. 2014. International Law. 7th ed. Cambridge: Cambridge University Press.Google Scholar
- Tait, Matt. 2016. On the Need for Official Attribution of Russia’s DNC Hack. Lawfare. www.lawfareblog.com/need-official-attribution-russias-dnc-hack.
- Tikk, Eneken, and Kadri Kaska. 2010. Legal Cooperation to Investigate Cyber Incidents: Estonian Case Study and Lessons. In 9th European Conference on Information Warfare and Security, Thessaloniki, Greece, 288–294.Google Scholar
- Tikk, Eneken, Kadri Kaska, and Liis Vihul. 2010. International Cyber Incidents: Legal Considerations. NATO Cooperative Cyber Defence Centre of Excellence. http://www.ccdcoe.org/publications/books/legalconsiderations.pdf.
- Tougas, Marie-Louise. 2012. Droit international, sociétés militaires privées et conflit armé: Entre incertitudes et responsabilités. Bruxelles: Bruylant.Google Scholar