25 August 2021

Cyber Attribution and State Responsibility

William Banks

Abstract
We might expect international law to specifically address cyber attribution requirements due to the significance of attribution in framing the legal responsibility of States and the boundaries of responsive actions by victim States. However, there is little international law of cyber attribution, and what law there is exists largely by implication. Likewise, there is only a murky and highly contested law of State responsibility that theoretically constrains the vast majority of State-sponsored cyberattacks. Because victim States cannot engage in countermeasures unless they attribute a cyberattack to a State, attribution can serve simultaneously to constrain and empower victim States. However, the lack of a common understanding about whether cyber attribution is required—much less what evidence suffices for attribution of a cyberattack for international law purposes—combined with the absence of consensus legal rules to limit cyber intrusions, has helped render the entire international legal response to cyberattacks weak and largely ineffective. Going forward, States and the international community should support public cyber attributions and address what legal or evidentiary standards must be met to attribute responsibility for a cyberattack to a State. A viable cyber attribution regime is a missing but key component for States to overcome the Wild West cyber environment that we live in.

No comments: