Cyber Attacks and the Problem of Attribution

Introduction

Under international humanitarian law (IHL), cyber warfare refers to the “means and methods of warfare that consist of cyber operations amounting to, or conducted in the context of, an armed conflict.¹ICRC, ‘What Limits Does the Law of War Impose on Cyber Attacks?’ (2013)  <https://www.icrc.org/eng/resources/documents/faq/130628-cyber-warfare-q-and-a-eng.htm> These attacks may include hacking, data breaches, disrupting the functioning of National Critical Infrastructure (NCIs), or aiding conventional armed conflicts with cyber technology. Cyber warfare is rapidly rising to become a global threat and thus attracting a lot of debate. Although there is no comprehensive law regulating cyber attacks under international law, Article 36 of Additional Protocol I to the Geneva Conventions (API) instructs states to routinely review the legality of emerging weapons, indicating that the existing law can regulate the cyber realm. This understanding was also echoed by the International Court of Justice (ICJ) in its Advisory Opinion on the Legality of Nuclear Weapons when it clarified that the IHL regime, its rules and laws, are applicable to “all forms of warfare and to all kinds of weapons, including those of the future.”²International Court of Justice, Legality of the threat or the use of nuclear weapons, Advisory Opinion, 8 July 1996, para. 86.

While this leaves no doubt that the existing law can extend to cyber attacks; it does not mean that the application of the law is as straightforward as for conventional warfare. One of the biggest impediments to the application is the problem of attributing cyberattacks to either states or non-state actors where the identity of the attacker or the source of the attack is unknown. This article explores the question of attribution of those cyber attacks where attackers using modern technologies either conceal their identities, alter their IP addresses, or stage attacks, and offers potential solutions to ease the process of attribution in such cases.

What is a Cyber Attack?

According to Article 49 API, an attack is an “act of violence against the adversary, whether in offence or in defense”. Over the years, states have deliberated upon whether this definition should be broadened to include cyber operations under the definition of an ‘attack’. The Tallinn Manual 2.0 recognises a kinetic cyber attack as a “cyber operation, whether offensive or defensive, that is reasonably expected to cause injury or death to persons or damage or destruction to objects.”³Tallinn Manual ON THE INTERNATIONAL LAW APPLICABLE TO CYBER OPERATIONS (Michael N. Schmitt ed., 2d ed. 2017) , Rule 30. Therefore, cyber operations causing physical damage to civilian objects or life amount to cyber attacks as per the attacks envisaged under Article 49 AP 1.

However, it is contentious whether cyber operations that cause data breaches leading to no physical damage constitute cyber attacks. This scepticism is furthered by the ICRC’s interpretation of attacks as ‘combat action’, denoting the requirement of physical force.⁴“Schmitt, M. N., ‘Attack as a Term of Art in International Law: Implications for Cyber Operations’. (2012) 5 Journal of Conflict & Security Law 215. Available at: https://ccdcoe.org/uploads/2012/01/5_2_Schmitt_AttackAsATermOfArt.pdf [Accessed 19 April 2023]. This means that non-kinetic cyber operations which culminate in some physical damage are deemed as attacks, whereas cyber operations resulting in data breaches, or disrupting softwares or stealing military information, are not considered attacks and, therefore, not governed by the principles of distinction, proportionality and precaution under IHL. Regardless of the views on different types of attacks, states are increasingly realising the need of regulating cyberspace given its huge potential to create a humanitarian crisis during war.

The Test for Attribution

Under international law, tracing the origin of the attack is necessary for its attribution, as cyber attacks can be launched by states, non-state actors or forces posing to be both. The International Law Commission’s Draft Articles for Responsibility of States for Internationally Wrong Acts, 2001, holds that states are to be held responsible for attacks that are undertaken by state organs,⁵Article 4, Draft Articles for Responsibility of States for Internationally Wrong Acts, 2001 persons or entities upon which the state exercises governmental authority,⁶Article 5, Ibid.  persons or groups acting under the state’s control and private persons,⁷Article 8, Ibid. or groups whose conduct which the state adopts on its own.⁸Article 11, Ibid. When the Tallinn Manual was being drafted, it was unanimously agreed  by international legal experts, that the customary law of state responsibility is also applicable to cyber operations and activities.⁹TALLINN MANUAL 2.0 at 80, ¶ 4. The only fact that the cyber attack breaches a state’s international legal obligation is sufficient for state responsibility to be invoked.¹⁰Ibid, at 84, r.14..

Following this consensus, Rule 15 of the Tallinn Manual echoes the aforementioned Articles 4 and 5 of the Articles on State Responsibility. According to the explanatory note of the Rules, actions of state organs are attributable to the State¹¹Ibid at 87–90, ¶¶ 3, 8 –11. even outside the organisation’s approved authority, or ultra vires.¹²Ibid at 89  ¶ 9. Furthermore, organs of the state would also consist of actors that are not directly an organ of the state, but have ‘complete dependence’ on the state or other entities that include some form of governmental authority.¹³Ibid at 88, ¶ 4. Additionally, the conduct of state agents acting on the instructions of, or under the direction or control of the State are also attributed to the State.¹⁴Ibid. at 94 r. 17. Moreover, if an organ of the state is at the disposal of another state, if that organ functions exclusively under the control of the receiving state and thus indulges in activities for the objectives and on behalf of that state. In this case, the organ’s acts are attributable to the receiving state.¹⁵Ibid at 93, ¶ 1.

However, there are certain problems that arise when attributing cyber activities under the state responsibility regime because of the difference between the nature of a conventional attack and a cyber attack.

Problems with Attribution

Prior to the global emergence of cyber operations, attacks could be attributed to a state when tanks, warships, or weapons were the primary means of conflict. However, the same cannot be said for cyber activities. Due to the ability to capture or spoof cyber infrastructure which may include the originating place, “the mere fact that a cyber operation has been launched or otherwise originates from a specific governmental infrastructure, or that malware used against hacked cyber infrastructure is designed to ‘report back’ to another State’s governmental cyber infrastructure is generally insufficient evidence for attribution to the State”.¹⁶Ibid, at 91, ¶ 13. Contrary to a physical attack, the ongoing or incoming occurrence of cyber attacks is difficult to ascertain. Thus, the intangibility of cyber attacks exacerbates the attribution problem.

Another difficult legal question regarding attribution is the role of non-state actors. The problem arises when non-state actors are either deployed as proxies for a state of those non-state actors which may be working on behalf of the state without clear legal authority to do so. This problem has been expanded upon in Rule 17 of the Tallinn Manual which follows the language of Article 8 of the Articles of State Responsibility. Having said that, where a state has ‘effective control’ over the actions of the non-state actor i.e., specific instructions are given for actions, and not mere encouragement or support, the cyber activity of the non-state actor can be attributed to the state. However, the ultra vires activities of the non-state actors which fall outside the ‘effective control’ of the state would not be attributed to the state.

This problem is compounded by the contested threshold of attribution in the cyber realm and IHL in general. Traditionally, a “State’s preponderent or decisive participation in the financing, organising, training, supplying, planning” does not attract state responsibility as held by the ICJ in Military and Paramilitary Activities in and against Nicaragua (Nicaragua v the United States).¹⁷Military and Paramilitary Activities in and against Nicaragua,1986. ¶109. The ICJ ruled that if the Nicaraguan rebels had been directed or controlled by the United States, only then they would have fallen on the “effective control standard”.¹⁸Ibid, ¶ 116. Thus, in the cyber realm, providing cyber tools, identifying targets, selecting the date for the cyber operation is insufficient to implicate the state because of a non-state actor’s cyber activity. Such was seen in the Russia-Estonia conflict when Russia conducted cyber operations in Estonia, in the wake of the moving of a Russian war memorial.¹⁹R. Ottis, Analysis of the 2007 Cyber Attacks against Estonia from the Information Warfare Perspective, in Proceedings of the 7th European Conference on Information Warfare and Security, plymouth, 2008, at 163 (2008),, 2008, at 163 (2008), https://ccdcoe.org/multimedia/analysis-2007-cyberattacks-against-estonia-information-warfare-perspective.htm.

It has to be proven that the State exercises control over the non-state actors purporting cyber attacks. This leads to a two-fold problem: the difficulty of attributing a cyber activity with a state given the high threshold. If the activity cannot be attributed it means it cannot be regulated or stopped. Second, the recourse available to the victim state of an unattributable cyber activity is also problematic and unsatisfactory. The victim states cannot do much except for taking countermeasures, as they cannot force the host state to take effective action against the non-state actor in wake of the principles of sovereignty and due diligence.²⁰Georgetown University Law Center. International Law Journal. ‘Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations’. Volume 48, Issue 3 (2018). Available at: https://www.law.georgetown.edu/international-law-journal/wp-content/uploads/sites/21/2018/05/48-3-The-Tallinn-Manual-2.0.pdf [Accessed 19 April 2023]. Further, attribution is also critical to determine the legality of self-defence practiced by victim states through counter-offensive operations under Article 51 of the UN Charter, and further subject to the limitations of necessity and proportionality.

Solutions to the Problems of Attribution

Apart from the technological impairments that complicate attribution in the cyber realm, the lack of an evidentiary requirement agreed upon by the states is a major obstacle attributing cyber attacks. The ICJ suggested that the standards of evidence should vary according to the severity of the attack.²¹Ibid ¶ 577. However, as put forward by Kristen Eichensehr,²²Director National Security Law Centre, University of Virginia varying scales of evidence can only be helpful for attacks of magnitude, but not for those which fall below the armed attack threshold. Hence, she argues that a minimum standard of ‘some’ evidence may avoid conflict in the developing realm.²³Ibid. For instance, detailed ‘sufficient’ technical information regarding the attack can be given to all potential attributors to confirm or debunk the attribution.²⁴Ibid  ¶ 578.

Government attributors should also provide information to other state and non-state actors for independent oversight.²⁵Ibid ¶ 583. Through this, attributors can bring their own findings which could collectively lead to either a confirmation or a refusal of attaching state responsibility to an attack. The recent attacks in England of WannaCry, NotPetya and the Organisation for the Prohibition of Nuclear Weapons hack demonstrate that collective attribution boosts the credibility of the claims made.²⁶Przemysław Roguski, Russian Cyber Attacks Against Georgia, Public Attributions and Sovereignty in Cyberspace, JUST SECURITY (Mar. 6, 2020), https://www.justsecurity.org/69019/ russian-cyber-attacks-against-georgia-public-attributions-and-sovereignty-in-cyberspace/ (in February 2020, twenty States collectively accused Russia of conducting cyber operations against Georgia); Russia Cyber-Plots: US, UK and Netherlands Allege Hacking, BBC (Oct. 4, 2018), https://www.bbc.com/news/world-europe45746837 (noting organised accusations by Canadian, Dutch, U.S., and U.K. officials against the GRU). Therefore, the victim state must be able to convince every actor with sufficient and credible evidence of its attribution.²⁷Ibid. According to the Tallinn Manual, a state attributing a low-level cyber attack to a state must thus bring firm evidence against the perpetrator as compared to an attack which is highly disruptive.²⁸TALLINN MANUAL 2.0, at 82.

Secondly, countermeasures should be restricted to states or non-state actors constituting internationally wrongful acts. However, short of countermeasures, victim States may be allowed to respond to such intrusions through ‘retorsions’ including protests, access to State resources, trade routes and economic sanctions that would affect the State.²⁹Thomas Giegerich, Retorsion, MAX PLANCK ENCYCLOPEDIAS OF PUBLIC INTERNATIONAL LAW (updated Sept. 2020), https://opil.ouplaw.com/view/10.1093/law:epil/ 9780199231690/law-9780199231690-e983?rskey=gdXVnW&result=1&prd=MPIL. The United States, in 2021, even allowed declaring diplomats persona non grata³⁰Asking a foreign diplomat to be recalled to their home country. and destablising cyber-activities, as hostile actions.³¹United Nations General Assembly, 73/266 Official compendium of voluntary national contributions on the subject of how international law applies to the use of information and communications technologies by States, https://front.un-arm.org/wp-content/uploads/2021/08/A-76-136-EN.pdf. These actions may be deemed unfriendly but still lawful.³²International Law Commission, Draft Articles on Responsibility of States for Internationally Wrongful Acts with Commentaries, 56 U.N. GAOR Supp. No. 10, chapeau to ch. II of pt. 3, cmt. ¶ 3, U.N. Doc. A/56/10 (2001), reprinted in [2001] 2 Y.B. Int’l L. Comm’n 26, U.N. Doc. A/CN.4/SER.A/ 2001/Add.1 (Part 2), https://legal.un.org/ilc/documentation/english/reports/a_56_10 .pdf. It should be noted that Self-Defence can only be resorted to when there is no doubt regarding the attribution of the attack.

Thirdly, there should be an international organisation which can impartially attribute cyberattacks based on the data from states and non-state actors that are reluctant in sharing data publicly. The CyberPeace Institute is an institution in Geneva that works on a similar mandate; however there is no clarity if the entity can hold states accountable.³³The CyberPeace Institute is a novel non-profit organisation recently established in Geneva with a mission of “assistance, accountability, and advancement” to “enhance the stability of cyberspace” by collaboratively analysing cyberattacks by assisting victims whose digital security systems are deficient, coordinating resources to assign accountability, and advocating for the exposure and bridging of legal and normative gaps in international law. To date, however, it is not clear that the institute is likely to make accusations on its own. See CYBERPEACE INSTITUTE, https://cyberpeaceinstitute.org/ If developed strategically and with the support of the leading States, such an organisation can also provide technical expertise – which is currently lacking – and support the weaker states that do not have the resources to rightfully initiate the process of attribution. Most importantly, the independence of the institution can prevent biased attributions, and its technical expertise available can avoid erroneous attributions.

Conclusion

Cyber activities are on the rise at the global stage. Such activities are now becoming the new normal instead of traditional attacks. International law, although envisaged much before the emergence of such technologies, is able to govern cyber operations under its ambit. The most important aspect of an attack for it to be fully prosecuted is its attribution to either a state, or a non-state actor. Traditionally, any activity related to a physical attack could be easily ascertained. However, the same cannot be done with cyber activities as attackers can easily conceal their identities.

Moreover, non-state actors either acting as proxies or acting without any clear legal authority is a major hurdle to the attribution of a cyber activity. This leaves many questions of how such activities can be traced back to entities and the remedies available to the victim states. In order to solve this debacle, some minimum evidentiary requirement is needed for attribution of cyber attacks to states whereby such requirement is vetted by third-parties i.e., both states and non-state actors, as all potential contributors to confirm attributions. Moreover, severing of diplomatic and economic ties should be a remedy available to victim States that do not or cannot engage in counter measures. Lastly, an international independent and impartial entity is needed to spearhead the process of attribution to ensure transparency and accuracy.