Attributing Cyber Operations Under International Law: Political and Legal Aspects

The attribution of cyber operations to individuals, entities, and states has been a consistently recurring topic of research, across disciplines. This also includes an intensive debate among international law academics, trying to make sense of the so-called ‘legal attribution’ in the cyber context. Since 2017, significant developments in the public political attribution of cyber operations to states by European Union Member States, the so-called Five Eyes (Australia, Canada, New Zealand, the UK, and the US), Japan, but also China, have led to a slightly changed perception of the capabilities of states to attribute. While in the early 2010s, the common understanding was that attribution is extremely difficult to achieve, the significant amount of public political attributions undertaken in recent years suggests that attribution may be possible, although evidence to prove the attribution is rarely provided to a satisfying extent.

Also, even more recently, more and more states have come forward with publishing their own national views on how international law applies to cyberspace, and many have also commented on the legal rules of attribution in this context. This article reassesses cyber attribution in light of these recent developments, both from a political and a legal point of view.

Section 2 explores how the existing rules of international law – including the rules of state responsibility – apply to the cyber context. The present author argues that existing rules, especially the ILC Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA), can be applied to the cyber context, and that there is currently no lex specialis discernible suggesting otherwise. Moreover, most recent opinio juris by states supports this argument. Section 2 further argues that the primary issue of attribution is evidence, not the legal requirements as set out by the ARSIWA. Section 3 then addresses the more recent phenomenon of ‘public political attributions’ undertaken in various forms (such as through press statements, sanctions, or indictments) and links it to the relevance of international law. It argues that states are reluctant to turn ‘political attributions’ into ‘legal attributions’, by generally refusing to apply existing international law to real-life cyber cases. Section 4 concludes.

For the purpose of this article, attribution is defined as the act of ascribing a specific ‘malicious’ cyber operation against a state to another state. This definition thus encompasses the technical, political and legal dimension of attribution, as long as the attribution is made to a specific state. Some states like to draw clear lines between technical, political, and legal attribution. While these elements are analytically (and, to a certain extent, legally) distinct, in practice, each element informs the other.