It goes without saying that it is highly unlikely that interstate cyber attacks can be perpetrated by the heads-of-state themselves, given that a high degree of expertise in computer technology is needed. So, since a group of hackers will be the one ‘hired’ by a government to wage the attack, how can the group’s actions be attributed to the particular state?
Allegedly, it is particularly difficult not only to prove that a cyber attack has taken place but also to trace the perpetrator of an attack, let alone to find the required nexus between the hacker and the responsible state in order to attribute the acts to the particular state. In reality, however, if a black hat hacker with malicious intentions is expert in camouflaging, or even in completely hiding the traces that can lead to him, there is another hacker, a white hat one, equally expert in tracing him. For the purposes of this study, it will be taken for granted that the hackers can indeed be geographically traced, in order to proceed to a legal analysis of how their actions can be attributed to the responsible state.
Further to this, even if the attack is geographically traced, the scope of state attribution of the acts of a group of hackers stumbles upon the contentious issue of territoriality in the cyberspace. Retired General Michael Hayden, former director of the US National Security Agency recently stated in an utterly flamboyant manner that one solution being discussed in government is to simply forget about trying to determine if the source of an attack is state-sponsored and hold nations responsible for malicious activity coming from their cyberspace.
In the heart of the international law of state responsibility lay the 2001 Draft Articles on Responsibility of States for Internationally Wrongful Acts, codified by the International Law Commission.
Chapter II of the Draft Articles posits that attribution of a conduct to a state can be effectuated in a plethora of ways: inter alia, through the conduct of the –de facto or de jure– organs of a state (even in instances where they exceed their authority or contravene their instructions), through the conduct of persons or entities exercising elements of governmental authority, and through the conduct of a person or group of persons acting under the instructions of or under the directions or control of that State.
The second half of the latter form of ‘imputability’ is the most controversial one. The degree of control which must be exercised by the state in order for the conduct to be attributable to it was a key issue in three different cases of the international jurisprudence.
If a future cyber attack is indeed waged by a group of hackers acting under the instructions, directions or control of a state, a particular difficulty will arise if the mutually contradictory dicta by the two UN tribunals are taken into consideration.
The International Court of Justice ruled in the landmark 2007 Nicaragua Case that an “effective control” test is needed for the state attribution to be achieved, whereas the International Criminal Tribunal for the Former Yugoslavia decided in the famous Tadić Case that a looser, “overall control” test is satisfactory enough. The latter was harshly criticised by the ICJ in its landmark 2007 Genocide Case as being unpersuasive and unsuitable, as it ‘has the major drawback of broadening the scope of State responsibility well beyond the fundamental principle governing the law of international responsibility’.
Thus, in the case that a future disputed cyber attack is submitted to the International Court of Justice, it remains to be seen whether the criteria used will be stringent or not and whether international responsibility of the culprit state will be effectively engaged.
Praiseworthy is also the proposal by Shackelford, who moves even further and suggests that ‘using the Genocide Convention can be a vehicle to hold accountable perpetrator nations that experience genocide as a result of a massive and deadly state-sponsored information warfare campaign.’
International legal literature has not addressed yet effectively the subject. See Dinstein in MN Schmitt, Computer Network Attack and the Use of Force in International Law :Thoughts on Normative Framework – : US Air Force Academy, 1999, at 103; also Todd, but dealing mainly with cyber espionage. Eg, Adkins 16 describes a ‘law enforcement diagnostic tool’, the ‘Carnivore’, used by the FBI to locate and identify hackers who ‘weave and loop’ through various computers in order to hide their actual location.
For an analysis on territoriality and jurisdiction in cyberspace, see Van de Bogart;
‘Former NSA Director: Countries Spewing Cyberattacks Should Be Held Responsible’, July 29, 2010, available at wired.com, an online periodical on technology issues, http://www.wired.com/threatlevel/2010/07/hayden-at-blackhat/
Responsibility of States for Internationally Wrongful Acts, Yearbook of the International Law Commission, 2001, vol. II (Part II), Reproduced in the annex to General Assembly Resolution 56/83 of 12 December 2001, and corrected by document A/56/49 (Vol. I)/Corr.4.
Case Concerning Military and Paramilitary Activities in and against Nicaragua Case (Nicaragua v United States of America), 1984, ICJ Reports 392 June 27, 1986; Prosecutor v. Duško Tadić aka Dule, Sentencing Judgement, Case No. IT-94-1-T, ICTY, 14 July 2007; Case Concerning the Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro), ICJ General List No. 91, Judgment of February 26, 2007
International Tribunal for the Prosecution of Persons Responsible for Serious Violations of International Humanitarian Law Committed in the Territory of the Former Yugoslavia since 1991
Genocide Case, para. 406.