This study addresses the issue of malicious cyber-attacks and attribution, state responsibility, and the duty to prevent them in international law. This study focuses on those cyber-attacks that do not rise to the level of force, a subject that has not until recently attracted much attention from the international legal community and is a distinct emerging
87 The Duqu, Flame, and Stuxnet cyber-attacks appear to have been state-sponsored cyber-attacks and have been circumstantially attributed to the United States and possibly Israel. It is probable that more recent cyber-attacks such as the Regin malware are also state sponsored. See, Electronic Frontier Foundation, State Sponsored Malware (n.d.), https://www.eff.org/issues/state-sponsored-malware.
88 E.g., Stuxnet attacks which resulted in kinetic damage.
33 legal issue.89 This study is not solely on the existing CIL of state responsibility—it also addresses alternative theories for state responsibility, attribution, and issues of proof. This study is not a general study of the law of state responsibility as applied to cyber-attacks; it focuses on issues related to attribution for the purpose of holding states responsible under CIL. This study also addresses alternative theories for attribution and state responsibility.
This study makes a significant and important contribution to the existing corpus of international law. It addresses the most prevalent forms of attacks (malicious cyber-attacks), a problem which has largely been left to individual states to deal with, although it arguably impacts all states. Malicious cyber-attacks are an international problem as they routinely implicate multiple states, and the harm suffered from such attacks often originates from another state. As malicious cyber-attacks have seemingly been ignored in international law, this study addresses the issue in depth. This study addresses the issues of malicious cyber-attacks as a matter of public international law. As such, it utilizes sources of law as put forth in Art. 38 of the Statute of the International Court of Justice.90
As the majority of scholarship on this topic in public international law is in regards to cyber warfare, cyber terrorism, and those cyber-attacks that may be considered a use of force, there will be a large volume of argument by analogy as the principles are similar, yet different. This study relies in part on the Tallinn Manual on the International Law Applicable to Cyber Warfare (Tallinn Manual).91 It must be noted that while the Tallinn Manual should be regarded as what Art. 38(1)(d) of the Statute of the International Court of Justice refers to as, “teachings of the most highly qualified publicists…” the Tallinn
89 See, e.g., Robin Geiss and Henning Lahmann, Freedom and Security in Cyberspace: Shifting the Focus Away from Military Responses Toward Non-Forcible Countermeasures and Collective Threat-Prevention, in, Peacetime Regime for State Activities in Cyberspace (K. Ziolkowski ed., January 1, 2014). http://ssrn.com/abstract=2462950.
90 Statute of the International Court of Justice (1949). See also, Kirthi Jayakumar, Where Does Article 38 Stand Today?, E-Ir, (Oct. 12 2011), http://www.e-ir.info/2011/10/12/where-does-article-38-stand-today. H.C. Gutteridge, The Meaning of Article 38(1) of the Statute of the International Court of Justice, 38 Problems of Public and Private Int’l L. 125 (1952). Aldo Zammit Borda, A Formal Approach to Article 38(1)(d) of the ICJ Statute from the perspective of the International Criminal Courts and Tribunals, 24 Eur. J. Int’l L. 649 (2013).
91 Tallinn Manual on the International Law Applicable to Cyber Warfare, (Michael N. Schmitt ed.
2013).
34 Manual only reflects one view on the issues presented, and should not be considered governing law; it is more akin to that of a restatement of law and thus open to debate. Also, the Tallinn Manual concerns itself with those attacks that implicate UN charter Art. 2(4).
Accordingly, the controlling legal regimes posited by the Tallinn Manual may differ from those put forth herein.
This study also discusses the technical aspects of cyber-attack attribution from the computer science standpoint. This study operates under the belief that at present, there are no true and timely means of attribution for the majority of malicious acts in cyber-space.92 Thus, necessitating a legal mechanism in lieu of true attribution for the purposes of state responsibility.
This study discusses malicious cyber-attacks, including cyber espionage. As a matter of public international law, it must be noted that espionage is not, per se, an illegal act. There is no explicit prohibition in either treaty law or CIL that prohibits most common forms of espionage. While there is, an ongoing debate regarding whether the prohibition contained in the Vienna Convention on Diplomatic Relations specifically covers electronic communication as analogous to other diplomatic communication,93 such nuance is not addressed within this study. This study instead addresses the issue of attribution of malicious cyber-attacks that result in harm to a state. That is, this study does not differentiate between vectors and types of cyber-attacks. Simply put, if an act that could be defined as cyber-espionage causes harm to another, then this study would apply; if no harm results from cyber-espionage, then this study would not apply.
92 Developing Norms for Cyber Conflict, in, Research Handbook on Remote Warfare (Forthcoming), (J.
Ohlin ed, 2016), http://papers.ssrn.com/sol3/ papers. cfm?abstract_id=2736456. (“Prompt attribution of an attack and even threat identification can be very difficult.”) Kosmas Pipyros, Lilian Mitrou,, Dimitris Gritzalis, Theodoros Apostolopoulos, Cyberoperations and International Humanitarian Law : A Review of Obstacles in Applying International Law Rules in Cyber Warfare, 24 Information and Computer Security 38 (2016). (“The absence of a widely accepted legal framework to regulate jurisdictional issues of cyber warfare and the technical difficulties in identifying, with absolute certainty, the perpetrators of an attack, make the successful tackling of cyber attacks difficult.”)
93 See, Vienna Convention on Diplomatic Relations, Art. 27, June 24, 1964, 500 U.N.T.S. 91 (Discussing the “inviolability of official consular communications…”)
35 1.6. Study Overview
Chapter Two will begin with a general discussion regarding the formation of CIL, the CIL on state responsibility, and the Draft Articles on Responsibility of States for Internationally Wrongful Acts. Chapter Two continues with an in-depth discussion regarding the formation of CIL and select theories concerning the formation of CIL. This discussion on the formation of CIL is important, as the majority of this study relies upon customary international law in one form or another. As discussed supra, the law of cyberspace is for all intents and purposes a CIL, as existing treaties are either too narrow in scope, outdated or not widely accepted. There is currently no treaty in place that addresses the issues put forth in this study, and the likelihood of a single treaty concerning malicious cyber-attacks being adopted by the major powers is nil, due to significant differences in the use and control of cyberspace. This lack of a treaty, therefore, makes the CIL, the only law available to guide states in their actions in cyberspace. Additionally, the law of state responsibility is a product of CIL and will evolve in response to changes in custom. This study, therefore, operates under the belief that a solid discussion on the formation of custom is needed prior to any further discussion, as the formation of custom and associated theories directly impact the laws controlling cyberspace and state responsibility.
The discussion regarding CIL relies in large part on the work of the International Law Association (ILA). This study utilizes their work as the ILA is composed of subject matter experts and the work has been cited favorably by international courts and tribunals. By focusing on the work of the ILA, this study is able to present needed information in the least controversial manner possible, because as with any legal theories, even the formation of custom has its controversies. This study attempts to avoid most controversies regarding the formation of CIL by utilizing the work of the ILA, and only briefly discussing the more controversial theories of CIL formation.
Chapter Two finishes with a generalized discussion regarding state responsibility, setting the foundation for the follow-on chapters and establishing a baseline for further discussion regarding state responsibility as put forth by the ILC in its ARS. As noted supra, the work of the ILC is part of the CIL and has been accepted by international courts and tribunals as such. This study utilizes the work of the ILC and cases from the ICJ to demonstrate what the basic rules of state responsibility are, and how they are applied to the instant issue. This
36 section is presented in order to build on the discussion on the formation of CIL and the formation of the CIL of state responsibility. Each chapter in this study builds upon knowledge and information conveyed in earlier chapters, enabling the reader to understand the concepts and theories presented in each follow-on chapter.
Chapter Three is an in-depth analysis regarding the attribution of malicious cyber-attacks and the evidentiary burden associated with attributing malicious cyber-attacks as a matter of CIL. This chapter is a follow-on to the Chapter Two discussion on the ILC’s ARS as the rules of attribution are part thereof. In addition to discussing the rules of attribution, the evidentiary burden associated with the proof of a violation needed to trigger attribution and how an act may be attributed to a state is also discussed. This discussion regarding the rules of attribution demonstrate the difficulties of attributing a malicious cyber-attack to a state, as both the evidentiary burden needed to attribute an act to the state is difficult to meet, and as is the evidentiary burden of proving that a state had effective control over a non-state actor for state responsibility to lie.
Chapter Four discusses the basic operation of the Internet and cyberspace and how computer science approaches the issue of cyber-attack attribution. This chapter discusses both technical attribution through the lens of computer science and circumstantial attribution which melds legal and technical attribution theories and techniques. This chapter serves to demonstrate the technical difficulties involved with affirmatively identifying and attributing a cyber-attack to a state. This issue is discussed in depth to demonstrate to the reader how legal attribution of a malicious cyber-attack fails due to the limitations and difficulties involved with technical attribution. This chapter builds on the discussion in Chapter Three to demonstrate that without affirmative technical attribution to the individual level (i.e., bridging the air gap between the computer system(s) used for an attack and the individual programmer or programmers), legal attribution as established by the ARS is not possible. In addition, this chapter demonstrates that under existing CIL and ICJ case law, circumstantial attribution is not a valid means of attribution, as the ICJ has held that circumstantial evidence is not enough to link a state to wrongful conduct. Chapter Four will conclude Part One of this study.
Chapter Five serves as the introduction to Part Two in which this study looks to alternative theories found in CIL for attributing and holding states responsible for malicious
cyber-37 attacks which are traced back to a state’s sovereign territory, yet cannot be affirmatively attributed to the state itself. Chapter Five introduces the reader to theories which this study puts forward as a means of holding states responsible for malicious cyber-attacks without direct affirmative attribution of those attacks. This chapter discusses the prohibition on unlawful political intervention, the Trail Smelter arbitration and the prohibition on transboundary harm, the Corfu Channel principles, and the theory of strict liability for ultra-hazardous activities. These theories are used herein as it is argued by this study that they are analogous to the instant issue and demonstrate that alternative means of holding states responsible exist in CIL.
Chapter Six continues with the discussion regarding alternative theories in which to hold states responsible for malicious cyber-attacks under existing theories of CIL. Chapter Six addresses the theories of indirect responsibility, the due diligence principle, and the duty to prevent harmful conduct as applied to malicious cyber-attacks. This chapter builds upon the discussion in Chapter Five and the theories presented therein. Chapter Six again discusses existing theories of CIL and applies them to the instant issue in order to demonstrate additional means of holding states responsible for malicious cyber-attacks that exist in CIL.
Chapter Seven addresses recent developments within CIL and state responsibility by analyzing and discussing the post-9/11 invasion of Afghanistan by the United States and its allies. This study argues that the acts of the United States and its allies of holding the de facto government of Afghanistan, the Taliban, responsible for the acts of Al-Qaeda and the terror attacks on the United States was in contravention to the existing CIL of state responsibility. As such, new CIL may have sprung from the acts of the United States and its allies. This chapter addresses this theory in depth. This chapter is important as it demonstrates that CIL may adapt to changing state practice in response to new types of warfare. This chapter is particularly suited for the discussion herein as terrorism, like malicious cyber-attacks, are an evolving legal phenomenon and those acts taken in response to terror attacks may control by analogy to the instant issue.
Chapter Eight concludes this study with a discussion regarding how the international community and individual states may prevent future malicious cyber-attacks. In addition, this study will address the idea of a cyberweapons treaty and the idea of self-help by injured states prior to concluding this study.
38 Chapter Two: Customary International Law and State Responsibility in
Cyberspace
2. Introduction
This study begins in Chapter Two with a discussion concerning the formation of customary international law before turning to a discussion concerning the ILC’s ARS and the basis of state responsibility for wrongful acts. This chapter begins with a discussion on the formation of CIL for four reasons: (1) custom forms the basis for all the legal theories discussed in the substantive portions of this study; (2) the laws of state responsibility have evolved through the CIL process and respond to changes through the continued evolution of CIL; (3) the law of cyberspace is CIL until such time as a treaty or treaties may be concluded on point;and (4) it is argued by this study that the best solution to the issue of malicious cyber-attacks and attribution thereof is to be found within existing CIL which controls by analogy. This study believes that a solution to the instant issue exists within CIL and will discuss this approach in later chapters. As such, this chapter will begin with a discussion regarding the formation of CIL to establish a base of understanding for future arguments.