Sovereignty, State Responsibility & Attribution in Cyberspace By Lauren Skinner Sovereignty sits at the heart of the international legal system. Indeed, the modern international system of States relies fundamentally upon respect for State sovereignty and the prohibition on the use of armed force. But what happens when a State infringes upon another State, not through the use of armed force, but through cyberoperations? This is an obvious breach of international law, but how would one go about enforcing it? How would one prove another State’s responsibility? In recent years, this has been an increasingly relevant area of law, most notably through the Russian interference in the 2016 US presidential election. It is imperative that States develop comprehensive and clear rules on State responsibility for cyberoperations to prevent ongoing infringements on State sovereignty.
intended to reflect the current state of international law in cyberspace. Despite these concerted efforts to translate the ASR to a cyber-context, the legal regime in cyberworld remains poorly defined, particularly in relation to State responsibility. This creates significant problems with enforcing State responsibility for internationally wrongful cyberoperations, and allows significant space for States to infringe upon others’ sovereignty through their cyberoperations.
The Difficulties of Attribution in Cyberspace Attributing cyberoperations to a State is a lengthy and complicated process that involves a factual assessment of who engaged in the conduct, and a legal assessment of whether that individual or entity’s conduct can be attributed to a State. Both factual and legal attribution are extremely problematic in cyberspace.
While the rules of state responsibility are well-established under international law, their application in the cyberworld leaves a lot to be desired. The Draft Articles on State Responsibility (ASR), many of which are considered customary international law, have been translated into a cyber context in the Tallinn Manuals. The Tallinn Manuals are two publications developed by an international group of experts comprising rules and commentary that are
(a) Factual Attribution Generally, discussions of attribution are not about who did it, but rather who can be held responsible for it; however, in the cyber context, even this first step is highly problematic. Sophisticated attacks by knowledgeable hackers are near impossible to trace, and the science of 29
