International Attribution Mechanism for Cyber-Attacks: Who Needs It? Or Is the World Ready for Accountability in Cyberspace? / Yuval Shany & Michael Schmitt

One explanation for the reluctance to invoke international law in relation to cyber-operations  is the lack of a credible attribution mechanism, which could validate the facts underlying legal claims advanced by states adversely affected by cyber-operations. Arguably, a state targeted by a cyber-attack faces a choice whether or not to rely on international law in denouncing the attack, in attributing it to another state (where relevant) and in responding to it. In domestic legal systems, this process is sometimes referred to as “naming, blaming and claiming” However, all three said stages of the legal response depend on one another, and on factual information about the attack that occurred. Such information is necessary not only to understand what actually happened, and to identify the culprit (and/or the state behind it), but is also required in order to mobilize third parties to support the blaming and claiming, by engaging in collective attribution and a collective response to the attack. In other words, legal rights under international law can only be effectively invoked and relied upon in practice on the basis of an adequate factual infrastructure.