International Attribution Mechanism for Cyber-Attacks: Who Needs It? Or Is the World Ready for Accountability in Cyberspace? / Yuval Shany & Michael Schmitt

Date: 

Wed, 18/11/2020 - 15:00 to 16:30

Location: 

The Hebrew University of Jerusalem

One explanation for the reluctance to invoke international law in relation to cyber-operations  is the lack of a credible attribution mechanism, which could validate the facts underlying legal claims advanced by states adversely affected by cyber-operations. Arguably, a state targeted by a cyber-attack faces a choice whether or not to rely on international law in denouncing the attack, in attributing it to another state (where relevant) and in responding to it. In domestic legal systems, this process is sometimes referred to as “naming, blaming and claiming” However, all three said stages of the legal response depend on one another, and on factual information about the attack that occurred. Such information is necessary not only to understand what actually happened, and to identify the culprit (and/or the state behind it), but is also required in order to mobilize third parties to support the blaming and claiming, by engaging in collective attribution and a collective response to the attack. In other words, legal rights under international law can only be effectively invoked and relied upon in practice on the basis of an adequate factual infrastructure.

This article presents and discusses some of the possible justifications for establishing an international attribution mechanism to “name" and possibly "blame” the perpetrators of cyber-operations and the states behind them. It also considers what is the principal constituency for such a mechanism. Following an Introduction, Part Two starts by making the general case for developing international fact-finding mechanisms in international law, particularly in areas requiring particular scientific and technological expertise. Part Three then examines some of the shortcomings of the existing processes for attributing responsibility for cyber-attacks. Part Four reviews some existing proposals made to establish an international attribution mechanism, and Part Five describes the potential constituency for a new mechanism: states with limited capacity to impose accountability, states interested in broad collective attribution and international sanction regimes. Part Six concludes.