Prior to engaging in an in-depth discussion and analyses concerning this matter, this study must address: (1) what is meant by the term attribution as used herein and how does it apply to the issue of state responsibility for malicious cyber-attacks; (2) why is this issue worthy of scholarly discussion; (3) why does this study address the issue of attribution of malicious cyber-attacks from both a legal and technical viewpoint; and (4) why does this study utilize the sources of law that it does?
State responsibility, as put forth by the ARS Art. 2, requires two elements, (1) an internationally wrongful act; and (2) attribution of that act to a state, which will be discussed in detail, infra.
39 Attribution, in relation to malicious cyber-attacks, may be defined in the technical sense as the determination of the original Internet Protocol (IP) address for the system responsible for initiating an attack.1 In theory, this process of determining the originating IP address is straightforward.2 As will be discussed in depth in Chapter Four, technical attribution is quite challenging with numerous techniques available to the attacker to thwart attribution.3
In the legal context, attribution may be understood as assigning a party legally responsible for an act. In the context of this study, attribution is understood as the assigning of responsibility to a state or third-party for initiating a malicious cyber-attack. However, under existing CIL, as put forth by the ICJ and as adopted by the ARS, the assignment of responsibility to a state is not as simple as tracing the IP address for an attack to a state.4
It must be noted prior to any discussion that there is much debate over the issue of whether the technical and legal attribution of malicious cyber-attacks is even possible. Some commentators hold that technical and legal attribution of malicious cyber-attacks is impossible. Other commentators, based in part upon comments of the former United States.
1 Paul J. Springer, Cyber Warfare: A Reference Handbook 92-93 (2015). See also, Constantine Antonopoulos, State Responsibility in Cyberspace, in, Research Handbook on International Law and Cyberspace 62 (Nicholas Tsagourias and Russell Buchan, eds. 2016). (“[I]t is almost impossible to identify directly and with certainty the person or entity operating a personal computer. Identification of persons, and by consequence, attribution is only possible via identification of a computer by way of its IP address that identifies its precise location.”) Cf.
Neil C. Rowe, The Attribution of Cyber Warfare, in, Cyber Warfare: A Multidisciplinary Analysis 60-70 (James A. Green, ed., Kindle ed., 2015). (Discussing the difficulties of cyber-attack attribution.)
2 Id.
3 Neil C. Rowe, The Attribution of Cyber Warfare, in, Cyber Warfare: A Multidisciplinary Analysis 60-70 (James A. Green, ed., Kindle ed., 2015).
4 Constantine Antonopoulos, State Responsibility in Cyberspace, in, Research Handbook on International Law and Cyberspace 62-71 (Nicholas Tsagourias and Russell Buchan, eds. 2016).
40 Secretary of Defense, Leon Panetta,5 and other sources, plausibly argue that technical and legal attribution is achievable with current technology.6 However, as will be explained in this study infra Chapter Four, this study rejects this idea based upon both the CIL of state responsibility and the technical reality of attribution. It is argued herein, that even when computer science can positively identify the IP address for the computer system responsible for a malicious cyber-attack, that identification alone, under existing CIL, does not demonstrate that a state is responsible for the attack (although this study will argue that this alone may be enough to hold a state responsible for malicious cyber-attacks under alternative theories of responsibility.) Attribution to the IP address level under existing CIL does not demonstrate that the state itself ordered or directed the cyber-attacks and therefore legal attribution cannot lie.7
The issue of state responsibility for malicious cyber-attacks is worthy of in-depth, scholarly review as it is an unanswered question. Malicious cyber-attacks can impact any state and determining the responsible party for the attacks is arguably paramount to avoid wrongful attribution and potential kinetic overflow from a cyber incident. As will be discussed infra, malicious cyber-attacks are responsible for what has been called “the greatest transfer of
5 Leon Panetta, U.S. Sec’y of Def., Speech Concerning Cyber Security to Business Executives for National Security in New York City, (October 11, 2012). As published in, Council of Foreign Relations (October 12, 2012). http://www.cfr.org/ cybersecurity/secretary-panettas-speech-cybersecurity/p29262. (Secretary Panetta stated, “[o]ver the last two years, DoD [(the United States Department of Defense)] has made significant investments in forensics to address this problem of attribution and we're seeing the returns on that investment.” This led many commentators to speculate that the United States could have the technology to attribute malicious cyber-attacks. This study rejects this interpretation without further supporting evidence of the means and methods of attribution. Secretary Panetta merely states that the United States has invested in forensics, which could mean a multitude of different computer techniques to attempt to identify an attacker, and given the United States’ many failures to properly attribute such attacks, e.g., the Sony cyber-attacks in 2015 and the DNC Hacks in 2016, it is highly unlikely that the forensics Secretary Panetta is discussing, at least publicly, are working as well as hoped.)
6 Cf. Neil C. Rowe, The Attribution of Cyberwarfare 62, in, Cyberwarfare: A Multidisciplinary Analysis (James A. Green ed., Kindle ed. 2015) (“[A]ttribution of cyber-attacks is definitely possible.
The evidence will always be circumstantial in the legal sense since cyber-attacks cannot be witnessed inside computers directly.”) See also, Jason Healey, Concluding Assessment, in, A Fierce Domain: Conflict in Cyberspace 1986-2012, 265-278 (Jason Healey, ed. 2013).
(Discussing circumstantial attribution of cyber-attacks.)
7 Cf., Rowe, id. Constantine Antonopoulos, State Responsibility in Cyberspace, in, Research Handbook on International Law and Cyberspace 62-71 (Nicholas Tsagourias and Russell Buchan, eds.
2016).
41 wealth in history.”8 It is argued herein that malicious cyber-attacks are one of the biggest challenges facing the international legal order in the 21st century. The issue of attribution and state responsibility for malicious cyber-attacks is at present a problem without a solution in international law.