Abstract
State’s urge to make attribution ensues the suffering from prior foreign malicious cyber operations. Helpful in understanding such attribution practice are three commonly recognized dimensions, respectively, from technical, political, and legal perspectives. Compared to confidentially processed attribution, to publicly blame a state should be better substantiated. But as legal deficiencies in the current body of international law, apart from also some technical obstacles, cannot live up to the political desire of the accuser to make public attribution, the ill-substantiation problem becomes prominent. Debates over the “control test” and misuse of due diligence principle in cyber scenarios extend the responsibility scope of the territorial state. Lack of essential evidentiary requirements cripples the predictability and falsifiability for bringing up accusation. Inculpability for erroneous attribution invites the accusing state’s recklessness. In light of these legal deficiencies, an international norm on responsible state behavior for public attribution could be a promising way forward.
This chapter is a fully revised and expanded article developed with permission from the author's earlier contribution to a research report on Managing U.S.-China Tensions Over Public Cyber Attribution, published by Carnegie Peaceful Endowment in March 2022. The author owes thanks to Carnegie’s research team on cyber public attribution, inter alia, George Perkovich and Ariel Levite, for their earlier comments as well as the support for the reproduction of this lengthier article.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
To clarify, this Article uses the term “cyber operation” to incorporate different categories of cyber activities, including cyberattack which may amount to a use of force or armed attack in the sense of international law, and cyber espionage which refers to the large variety of below the Law of Armed Conflict (LOAC) activities in cyber “grey zone,” and also cyber-criminal activities, which does not trigger state responsibility in the strict and traditional sense, but may be changing in the cyber scenario.
On another note, this Article focuses on public attribution made by states. Entities other than states can also publicly attribute blame for a cyber operation, but for different aims and subject to different rules, if any. Private corporations, usually cyber security firms, may aim to enhance their influence, cultivate market demands, and ultimately cash out by selling products, services, and solutions on cybersecurity. Media may simply want an eye-catching story and may be easily manipulated by customized feeds of source information provided by enterprises or state organs. Since it falls outside of the purview of international law, the problem with these entities making public attribution merits a separate piece of analysis.
- 2.
- 3.
The White House (2021).
- 4.
- 5.
Brenner (2009).
- 6.
For pioneering work to review the exercise of “matching an offender to an offence … in minimizing uncertainty” on tactical, operational, and strategical levels. See Rid and Buchanan (2015).
- 7.
Alperovitch (2018).
- 8.
The imparity of cyber capabilities among states, including that to attribute, has been assessed and largely validated by many empirical studies. For one example, see The International Institute for Strategic Studies (2021).
- 9.
For chart illustrations covering the period of 2015–2020 verifying this deduction, see Garrett Derian-Toth et al. (2021). Not surprisingly, top five countries that made the most use of public attributions are all from Five Eyes Alliance, and China, Russia, Iran and North Korea have been identified as the responsible actors for 75% of all state-sponsored offensive cyber operations.
- 10.
Egloff and Smeets (2021).
- 11.
Hinck and Maurer (2020).
- 12.
Romanosky and Boudreaux (2020).
- 13.
Schmitt and Vihul (2014).
- 14.
- 15.
Eichensehr (2020).
- 16.
Schmitt M, Vihul L, op. cit. 13.
- 17.
U.S. Office of the Director of National Intelligence (2018).
- 18.
Some have noted that different purposes of public attribution relate to different levels of evidence. See Eichensehr K, op. cit. 15, p 558.
- 19.
It is a long-debated question as to when does cyber operations fall within the meaning of “armed attack” in the language of Art. 51 of UN Charter. See, e.g., Dev (2015).
- 20.
Finlay and Payne (2019).
- 21.
China, Russia, et al. (2018).
- 22.
Quoted phrase appeared in the first statement of the US position on evidentiary issues, see Egan (2017). Regarding legal underpinnings of evidentiary issues in cyber attribution, “the U.S., British, French, and Dutch efforts to block the development of customary international law on attribution” have been criticized as “shortsighted.” See Eichensehr K, op. cit. 15, pp 521–598.
- 23.
The Group of Governmental Experts (2021).
- 24.
- 25.
White House Press Briefings (2021).
- 26.
Art. 2 of ARSIWA.
- 27.
(28 Jan 2002) General Assembly Resolution on Responsibility of States for internationally wrongful acts, UN Doc (A/RES/56/83). https://undocs.org/en/A/RES/56/83.
- 28.
Crawford (2013).
- 29.
Ibid, pp 146–154.
- 30.
Case concerning Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. USA), Merits, (27 Jun 1986) ICJ Report.
- 31.
Prosecutor v. Tadic, Appeals Chamber, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction (2 Oct 1995) (ICTY-94–1-AR72).
- 32.
Shackleford and Andres (2010).
- 33.
Lahmann (2020).
- 34.
Prosecutor v. Tadic, paras. 131, 137.
- 35.
The Corfu Channel Case (United Kingdom v. Albania), Merits, ICJ Report, 1949.
- 36.
- 37.
- 38.
Schmitt (2017a), Rule 6. The rule reads: “State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other states.”
- 39.
The Group of Governmental Experts, Report on Advancing Responsible State Behavior in Cyberspace in the Context of International Security (Advanced Copy) (2021).
- 40.
See CCDCOE Cyberlaw Wiki, Due diligence. https://cyberlaw.ccdcoe.org/wiki/Due_diligence.
- 41.
Remarks by President Biden on the Economy (2021).
- 42.
Remarks by President Biden in Press Conference (2021).
- 43.
- 44.
Lahmann H, op. cit. 33, p 91.
- 45.
Report of the Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in the Context of International Security (Advanced Copy) (2021).
- 46.
Some commentator deems the evidentiary requirement in legal argument on cyber issues as a deadlock problem, which has no solution, so long as one sticks to an interventionist approach to impose international law on cyber operations. See d'Aspremont (2016).
- 47.
Quoted phrase appeared in the first statement of the US position on evidentiary issues, see Egan BJ, op. cit. 22, p 177. Regarding legal underpinnings of evidentiary issues in cyber attribution, “the U.S., British, French, and Dutch efforts to block the development of customary international law on attribution” have been criticized as “shortsighted.” See Eichensehr K, op. cit. 15, pp 521–598.
- 48.
ARSIWA, Commentaries, Chapter V, p 8.
- 49.
Margulies (2015).
- 50.
Lahmann H, op. cit. 33, pp 93–97.
- 51.
Oil Platforms (Iran v. U. S.), ICJ Judgment of 6 November 2003, Separate Opinion of Judge Higgins, para. 33.
- 52.
Green (2009).
- 53.
Rome Statute of the International Criminal Court, Article 66(3).
- 54.
Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), Judgment, ICJ Reports 2007, p. 90, para. 209.
- 55.
The Land, Island and Maritime Frontier Dispute (El Saldavor/Honduras), ICJ Judgment of 11 September 1992, para. 248; Sovereignty over Pedra Branca/Pulau Batu Puteh, Middle Rocks and South Ledge (Malaysia/Singapore), ICJ Judgment of 23 May 2008, para. 86.
- 56.
Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. U. S.), ICJ Judgment of 27 June 1986, paras. 106, 109, 115, 135, 207; Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda), ICJ Judgment of 2005, ICJ Reports (2005), paras. 72, 91, 136.
- 57.
O’Connell (2002); Eichensehr K, op. cit. 15, pp 559–562.
- 58.
Teitelbaum (2007).
- 59.
See Schmitt (2011).
- 60.
Brunner et al. (2019).
- 61.
Eichensehr K, op. cit. 15, pp 576–586.
- 62.
Rid T, Buchanan B, op. cit. 6, p 28.
- 63.
Eichensehr K, op. cit. 15, pp 571–572.
- 64.
Bin Cheng first put forward the notion of "instant" international customary law in a discussion on outer space law. See Bin Cheng, United Nations Resolutions on Outer Space: ‘Instant’ International Customary Law? In: Bin Cheng (1997).
- 65.
Rid T, Buchanan B, op. cit. 6, p 32.
- 66.
Milanovic (2020).
- 67.
Sklerov (2009).
- 68.
The White House (2012).
- 69.
Schmitt (2017b).
- 70.
ARSIWA, Commentaries, art. 49(3).
- 71.
Lahmann H, op. cit. 33, pp 97–109.
- 72.
Shany and Schmitt (2020).
- 73.
Eichensehr (2019).
- 74.
Report of the Group of Governmental Experts on Advancing Responsible State Behavior in Cyberspace in the Context of International Security, (Advanced Copy) (2021).
- 75.
Art. 4, Understanding on rules and procedures governing the settlement of disputes, Annex 2 of the WTO Agreement.
- 76.
Art. 2 of ARSIWA.
- 77.
- 78.
Guillaume Poupard, the head of the French cybersecurity agency (ANSSI), revealed APT31 modus operandi attack campaign targeting France. https://www.linkedin.com/feed/update/urn:li:activity:6823528088136105984; https://www.cert.ssi.gouv.fr/ioc/CERTFR-2021-IOC-003.
- 79.
Desforges and Géry (2021).
- 80.
According to Antiy Tech Group, a Chinese cyber security firm, multiple cyberattacks targeting Chinese defense and military units have been captured this year alone, allegedly all from India. See Huanqiu News (2021).
References
Alperovitch D (2018) Stopping the next cyber conflict. The Cipher Brief. https://www.thecipherbrief.com/column_article/stopping-next-cyber-conflict
Brenner S (2009) Cyber threats: the emerging fault lines of the nation state. Oxford University Press, London, p 5
Brunner I, Dobric M, Pirker V (2019) Proving a state’s involvement in a cyber attack: evidentiary standards before the ICJ. In: Tiittala T (ed) Finnish yearbook of international law. Hart Publishing, Oxford, pp 88–89
Cheng B (1997) Studies in international space law. Oxford University Press, London Chapter 7
China, Russia, et al (2018) General assembly draft resolution, developments in the field of information and telecommunications in the context of international security, para. 10, U.N. Doc. A/C.1/73/L.27. https://undocs.org/A/C.1/73/L.27
Chircop L (2018) A due diligence standard of attribution in cyberspace. Int Comparative Law Q 67:643–668
Corn G (2021) International law’s role in combating ransomware? Just Security. https://www.justsecurity.org/77845/international-laws-role-in-combating-ransomware
Council of the EU (19 Jul 2021) China: Declaration by the high representative on behalf of the European Union urging Chinese authorities to take action against malicious cyber activities undertaken from its territory. https://www.consilium.europa.eu/en/press/press-releases/2021/07/19/declaration-by-the-high-representative-on-behalf-of-the-eu-urging-china-to-take-action-against-malicious-cyber-activities-undertaken-from-its-territory
Crawford J (2013) State responsibility: the general part. Cambridge University Press, London, p 43
d’Aspremont J (2016) Cyber operations and international law: an interventionist legal thought. J Conflict Secur Law 23(3):575–593
Garrett Derian-Toth et al (2021) Opportunities for public and private attribution of cyber operations. Tallinn Paper Series 12:8–9
Desforges A, Géry A (2021) France doesn’t do public attribution of cyberattacks. But it gets close. Lawfare. https://www.lawfareblog.com/france-doesnt-do-public-attribution-cyberattacks-it-gets-close
Dev P (2015) "Use of Force" and "Armed Attack" thresholds in cyber conflict: the looming definitional gaps and the growing need for formal U.N. Response. Texas Int Law J 50(2):381–401
Dong W et al (2014) United States District Court Western District of Pennsylvania (Criminal No. 14–118). In: The United States Department of Justice. https://www.justice.gov/iso/opa/resources/5122014519132358461949.pdf
Egan BJ (2017) International law and stability in cyberspace. Berkeley J Int Law 35:177
Egloff FJ (2020) Public attribution of cyber intrusions. J Cybersecurity 2020:1–12
Egloff F, Smeets M (2021) Publicly attributing cyber attacks: a framework. The J Strategic Stud 2021:1–32
Eichensehr KE (2019) Decentralized cyberattack attribution. Am J Int Law Unbound 113:213–217
Eichensehr K (2020) The law and politics of cyberattack attribution. UCLA Law Rev 67:532
Finlay L, Payne C (2019) The attribution problem and cyber armed attacks. Am J Int Law Unbound 113:202–206
Fischerkeller M, Harknett R (2017) Deterrence is not a credible strategy for cyberspace, Foreign Policy Research Institute, pp 381–393
UK Foreign, Commonwealth & Development Office, National Cyber Security Centre, and The Rt Hon Dominic Raab MP (2021) UK and allies hold Chinese state responsible for a pervasive pattern of hacking. https://www.gov.uk/government/news/uk-and-allies-hold-chinese-state-responsible-for-a-pervasive-pattern-of-hacking
France’s Cyber Strategy (2008). http://archives.livreblancdefenseetsecurite.gouv.fr/2008/information/les_dossiers_actualites_19/livre_blanc_sur_defense_875/index.html
French Cyber defense Strategic Review (2018). http://www.sgdsn.gouv.fr/uploads/2018/03/revue-cyber-resume-in-english.pdf
Goldsmith J (2021) Empty threats and warnings on cyber. Lawfare. https://www.lawfareblog.com/empty-threats-and-warnings-cyber
Green JA (2009) Fluctuating evidentiary standards for self- defence in the international court of justice. Int Comparative Law Q 58:166
Harding E, McCabe R, Lewis JA (2021) Kaseya ransomware attack demands action to match rhetoric, CSIS. https://www.csis.org/analysis/kaseya-ransomware-attack-demands-action-match-rhetoric
Hinck G, Maurer T (2020) Persistent enforcement: criminal charges as a response to nation-state malicious cyber activity. J Natl Secur Law & Policy 10:525–561. https://jnslp.com/wp-content/uploads/2020/05/Criminal-Charges-as-a-Response-to-Nation-State-Malicious-Cyber-Activity.pdf
Jensen ET, Watts S (2021) Cyber Due Diligence. Oklahoma Law Review 73(4):645–710
Keitner CI (2019) Attribution by indictment. Am J Int Law Unbound 113:207–212
Lahmann H (2020) Unilateral remedies to cyber operations: self-defence. Necessity, and the Question of Attribution. Cambridge University Press, London, Countermeasures, p 88
Mackenzie R, Scott G (2021) Due diligence as a secondary rule of general international law. Leiden J Int Law 34:343–372
Margulies P (2015) Sovereignty and cyberattacks: technology’s challenge to the law of state responsibility. Melbourne J Int Law 14:296
McKenzie T (2017) Is cyber deterrence possible? Air University Press, Air Force Research Institute Papers, pp 7–9
Milanovic M (\2020) Mistakes of fact when using lethal force in international law: part I-III, EJIL Talk
NATO (2021) Statement by the North Atlantic Council in solidarity with those affected by recent malicious cyber activities including the Microsoft Exchange Server compromise. https://www.nato.int/cps/en/natohq/news_185863.htm?selectedLocale=en
Huanqiu News (2021). https://world.huanqiu.com/article/45PXEh1gLZR
O’Connell ME (2002) Evidence of terror. J Conflict Secur Law 7:22
Remarks by President Biden in Press Conference (2021). https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/06/16/remarks-by-president-biden-in-press-conference-4
Remarks by President Biden on the Economy (2021). https://www.whitehouse.gov/briefing-room/speeches-remarks/2021/05/10/remarks-by-president-biden-on-the-economy
Report of the Group of Governmental Experts on Advancing responsible State behavior in cyberspace in the context of international security (Advanced Copy) (2021) para. 71(g)
Rid T, Buchanan B (2015) Attributing cyber attacks. J Strateg Stud 38:4–37
Romanosky S, Boudreaux B (2020) Private-sector attribution of cyber incidents: benefits and risks to the U.S. Government. Int J Intell Counterintelligence 2020:1–31
Schmitt MN (2011) Cyber operations and the jus ad bellum revisited. Villanova Law Rev 56(3):595
Schmitt M, Vihul L (2014) Proxy wars in cyberspace: the evolving international law of attribution. Fletcher Secur Rev I(II):1–20
Shackelford S, Russell S, Kuehn A (2016) Unpacking the international law on cybersecurity due diligence: lessons from the public and private sectors. Chic J Int Law 17(1):1–50
Shackleford S, Andres R (2010) State responsibility for cyberattacks: competing standards for a growing problem. Georgetown J Int Law 42(971):987
Shany Y, Schmitt M (2020) An international attribution mechanism for hostile cyber operations. Int Law Stud 96:196–222
Sklerov MJ (2009) Solving the dilemma of state reponses to cyberattacks: a justification for the use of active defenses against states who neglect their duty to prevent. Military Law Rev 201:1
Schmitt M (ed) (2017a) Tallinn Manual 2.0 on the international law applicable to cyber operations
Schmitt M (ed) (2017b) Tallinn Manual 2.0 on the international law applicable to cyber operations. Cambridge University Press. Rule 71, para. 23
Teitelbaum R (2007) Recent fact-finding developments at the international court of justice. Law Pract Int Courts Tribunals 6(119):122
The Group of Governmental Experts (2021) Report on advancing responsible state behavior in cyberspace in the context of international security (Advanced Copy), para. 71(g)
The Group of Governmental Experts, Report on Advancing Responsible State Behavior in Cyberspace in the Context of International Security (Advanced Copy) (2021) Norm 13(c). The norm reads: states should not knowingly allow their territory to be used for internationally wrongful acts using ICTs
The International Institute for Strategic Studies (2021) Cyber capabilities and national power: a net assessment. https://www.iiss.org/blogs/research-paper/2021/06/cyber-capabilities-national-power
The White House (2012) Presidential policy directive/PPD-20, p 7
The White House (2021) The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China. https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/19/the-united-states-joined-by-allies-and-partners-attributes-malicious-cyber-activity-and-irresponsible-state-behavior-to-the-peoples-republic-of-china
U.S. DOJ Press Conference Transcript (2020) Charges against Russian officers, Oct. 19, 2020. https://www.rev.com/blog/transcripts/doj-press-conference-transcript-october-19-charges-against-russian-officers
U.S. Office of the Director of National Intelligence (2018) A guide to cyber attribution
White House Press Briefings (2021) Background press call by senior administration officials on malicious cyber activity attributable to the People’s Republic of China. https://www.whitehouse.gov/briefing-room/press-briefings/2021/07/19/background-press-call-by-senior-administration-officials-on-malicious-cyber-activity-attributable-to-the-peoples-republic-of-china
Acknowledgements
The author would extend the deepest appreciation to George Perkovich, Ariel Levite, Jon Bateman, Scott Collard, June Lee from Carnegie Endowment for International Peace, to Chuanying Lu, Manshu Xu from Shanghai Institute for International Studies, and to Yan Li from China Institutes of Contemporary International Relations, for their insightful critiques on earlier drafts of this Article.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2023 The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd.
About this chapter
Cite this chapter
Yang, F. (2023). Pointing with Boneless Finger and Getting Away with it: The Ill-Substantiation Problem in Cyber Public Attribution. In: Lee, E.Y.J. (eds) Revolutionary Approach to International Law. International Law in Asia. Springer, Singapore. https://doi.org/10.1007/978-981-19-7967-5_14
Download citation
DOI: https://doi.org/10.1007/978-981-19-7967-5_14
Published:
Publisher Name: Springer, Singapore
Print ISBN: 978-981-19-7966-8
Online ISBN: 978-981-19-7967-5
eBook Packages: Law and CriminologyLaw and Criminology (R0)