4 minute read
Sovereignty, State Responsibility & Attribution in Cyberspace – By Lauren Skinner
Sovereignty sits at the heart of the international legal system. Indeed, the modern international system of States relies fundamentally upon respect for State sovereignty and the prohibition on the use of armed force. But what happens when a State infringes upon another State, not through the use of armed force, but through cyberoperations? This is an obvious breach of international law, but how would one go about enforcing it? How would one prove another State’s responsibility? In recent years, this has been an increasingly relevant area of law, most notably through the Russian interference in the 2016 US presidential election. It is imperative that States develop comprehensive and clear rules on State responsibility for cyberoperations to prevent ongoing infringements on State sovereignty.
While the rules of state responsibility are well-established under international law, their application in the cyberworld leaves a lot to be desired. The Draft Articles on State Responsibility (ASR), many of which are considered customary international law, have been translated into a cyber context in the Tallinn Manuals. The Tallinn Manuals are two publications developed by an international group of experts comprising rules and commentary that are intended to reflect the current state of international law in cyberspace. Despite these concerted efforts to translate the ASR to a cyber-context, the legal regime in cyberworld remains poorly defined, particularly in relation to State responsibility. This creates significant problems with enforcing State responsibility for internationally wrongful cyberoperations, and allows significant space for States to infringe upon others’ sovereignty through their cyberoperations.
Advertisement
The Difficulties of Attribution in Cyberspace
Attributing cyberoperations to a State is a lengthy and complicated process that involves a factual assessment of who engaged in the conduct, and a legal assessment of whether that individual or entity’s conduct can be attributed to a State. Both factual and legal attribution are extremely problematic in cyberspace.
(a) Factual Attribution
Generally, discussions of attribution are not about who did it, but rather who can be held responsible for it; however, in the cyber context, even this first step is highly problematic. Sophisticated attacks by knowledgeable hackers are near impossible to trace, and the science of tracing cyberattacks has been described as ‘primitive at best.’ Traditional presumptions used in attribution, such as the use of governmental assets or the geographical location of the internationally wrongful act, do not apply in the cyber context. Non-State actors or other States may acquire control over government cyber infrastructure, rendering the presumption regarding use of governmental assets meaningless. Additionally, techniques such as ‘spoofing’, in which a cyberattack appears to originate from a source other than its real source, are commonly used by hackers in order to feign their identity or location.
(b) Legal Attribution
Factual attribution is only step one in attributing internationally wrongful cyber acts. If it can be established where or who a cyberoperation originated from, it still must be determined whether a State can be held responsible for the conduct. Under Rule 15 of the Tallinn Manual 2.0, ‘cyber operations conducted by organs of a State, or by persons empowered … to exercise governmental authority, are attributable to the State. While this likely reflects CIL and is therefore enforceable against a State, in most cases of foreign election interference, it will not be a government organ directly conducting the cyberoperations. In cases where an entity is exercising governmental authority, attribution both in fact and law remains extremely difficult. Cases that have considered an ASR Article 5 argument to attribute responsibility to a State have been largely confined to bodies which have had ‘governmental authority’ conferred on them by legislation or through contracts and agreements. If a government is relying on an entity to perform cyberoperations that may breach its international obligations, as in the case of foreign election interference, the conferral of authority is unlikely to be as clear or public as a contract or legislative framework. For this reason, this part of the provision is unlikely to be successful in holding a State responsible for an internationally wrongful act.
Rule 17 of the Tallinn Manual 2.0 states that the conduct of non-State actors is attributable to a State when the actor is engaged pursuant to the State’s instructions or is under its direction or control. In relation to the equivalent section of the ASR, the International Court of Justice (ICJ) has stated that non-State conduct is only attributable to a State where the State has ‘effective control’ over the conduct in question. Given the technical challenges of establishing factual attribution outlined above, it has been noted that adopting the ‘effective control’ standard in the cyber context ‘could give a free pass to State sponsorship of cyberattacks.’ Applying this test, it would be near impossible to enforce the responsibility of a State.
Overcoming Attribution Difficulties to Protect Sovereignty
Considering the example of foreign interference in an election, we can see the near impossibility of holding a State responsible for cyberoperations that likely breach international rules on nonintervention and respect for sovereignty. A State organ spreading misinformation or hacking into and releasing private information can hide behind techniques such as spoofing and use of nongovernmental cyber infrastructure to avoid responsibility. Any entity acting under the direct instructions and control of a State is unlikely to leave sufficient evidence to show the requisite level of control. The current standards relating to control and burdens of proof for attribution are highly unlikely to be met by States injured by cyberoperations, due to the unique nature of cyberspace and the interrelated issues of evidence, national security, timing and identification difficulties.
Greater clarity and more appropriate tests are required in order for State responsibility laws to function effectively in cyberspace. Some commentators have argued for a flexible standard of State responsibility in cyberspace; others have argued that States should have an obligation to police and regulate all cyber activities originating in their territory; and others have supported a comprehensive treaty for cyberspace regulation. While the present status, and indeed absence, of international law on cyberoperations is beneficial for States who engage in cyberoperations against other States and non-State actors, there is an increasing need for clarity on the rules and obligations of States in this area. Given the increasing prominence of the cyberworld, these issues require extensive multilateral coordination and for States to clarify exactly how far international regulation of cyber should extend, and how it should function. The most practical framework for this would be through a comprehensive, multilateral treaty on both rules and obligations in cyberspace, and State responsibility for cyberoperations.
To ensure both the relevance and the uniform application of international law, it is important that States are clear about their rights and obligations in cyberspace, and that they can be held responsible, and can hold others responsible, in cases where these rights or obligations have been breached. While the Tallinn Rules have initiated important discussions in the area of cyberspace law, States must now step up to provide legal clarity on the regulation of cyberspace, not only for their security, but for the security of the billions of people around the world online.
