By: Yuval Shany, Michael Schmitt, Paul Ducheine, Yaël Ronen, Dan Efrony & Jack Kenny
Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations sets forth a comprehensive legal framework for the regulation of cyber-operations during times of peace and of armed conflict. It also offers such a framework for responses to cyber-attacks that lie both above and below the “armed attack” threshold that justifies responses by kinetic or cyber means in self-defense under international law (Article 51 of the UN Charter).
A critical element with respect to the applicability of these frameworks is attribution under international law of responsibility for a malicious cyber operation. Before a State can be held responsible for a violation of international law, the cyber operation in question must be attributable to that State. Moreover, the legal authority to respond to harmful cyber operations through either countermeasures or self-defense largely depends on the ability of the responding State to attribute the original hostile cyber operation to another State’s organs, such as an intelligence agency; to a non-State actor like a hacker group or private company that is in the effective control of the State concerned; or to a private entity within a State that the territorial State has failed to control through the exercise of due diligence. The right to use cyber or kinetic means against another State in self-defense likewise depends on attributing the attack to that State.
Attribution has two dimensions: (1) technical attribution – tracing the source of the cyber operation and assigning it to a specific user and specific computing device; and (2) legal attribution – determining a State’s legal responsibility for authorizing or acquiescing to an unlawful cyber operation, or ascertaining whether it otherwise incurs international legal responsibility for the act on the basis of its relationship to the specific user involved in launching the hostile cyber operation. The credibility of a State that is the victim of a hostile cyber operation in denouncing another State or non-State entity for its role in the operation, and making a public claim for an internationally recognized right to respond, depends to a large extent on its ability to convincingly attribute the operation in law and in fact.
Presently, no international agency, organization or other entity has the legal mandate or professional expertise to authoritatively attribute responsibility for cyber operations. While some international organizations, such as Interpol and the European Union’s Agency for Network and Information Security (ENISA), have assumed a coordinative role in this field, they do not yet enjoy independent attribution capacity. In this institutional attribution vacuum, States often refrain from attributing, at least not definitively, hostile cyber operations to particular States or non-State actors. When they do so, they often rely on confidential sources or reports by private cyber security firms (which focus on technical attribution); as a result, the credibility of such attribution varies. To complicate matters further, responses to hostile cyber operations often take place secretly (sometimes through use of proxies), a fact that raises attribution problems of its own. Arguably, this state of affairs is not conducive to fostering the international rule of law in cyberspace; rather, it risks a destabilizing escalatory cycle of hostile cyber operations and cyber and kinetic counter-attacks.
It is against this backdrop that a number of proposals to create an international attribution agency, public or private, have surfaced. These include the Microsoft call for an international attribution organization modelled after the International Atomic Energy Agency, and the Rand Corporation’s proposal for a Global Cyber Attribution Consortium. These proposals contain interesting elements, but are not fully anchored in the international law of State responsibility. As a result, their contribution to the fledgling legal framework governing cyber-operations is unclear. It is also unclear whether, and if so to what extent, the proposed institutions are acceptable to States and likely to be utilized by them, either in order to expose and shame their attackers or as a prelude to the adoption of counter-measures, self-defense measures or other responsive measures.
The research project explores the viability of the notion of an international attribution mechanism; its possible structure, authority, process, and scope of consideration; and the role that such a mechanism could play in light of the legal framework governing cyber operations. It is based on a research hypothesis (which needs to be critically evaluated) that a credible attribution process, the findings of which can be publically relied upon, could facilitate the policy option of responding to hostile cyber-operations in a manner that is both lawful and politically legitimate. A robust and credible attribution mechanism, with a strong technical and legal capacity, would also foster accountability in international law and politics for acts and omissions that are inconsistent with States’ legal obligations under the international law governing cyber operations. Accordingly, the project will include: the assessment of case studies of past attempts to attribute unlawful cyber operations; a comparative review of parallel fields of law in which attribution challenges arise (such as international terrorism, environmental degradation and the recent chemical weapons attack in Salisbury) and the manner in which attribution is dealt with in them; review of the literature on attribution mechanisms; and workshops with decision-makers.