By: Yaël Ronen
Hostile cyber operations have become a common phenomenon, affecting public and private bodies and causing harm and inconvenience of different types. In some cases, these operations are carried out by states or on their behalf against other states. This raises the question whether legal responses to hostile operations can be pursued under international law.
Addressing such operations on the international legal level encounters various difficulties. The principal difficulty is the controversy as to the types of cyber activity that international law regulates. But even where there is consensus on the impermissibility of certain conduct (for example, when cyber operations result in physical damage), specific characteristics of cyber activity present obstacles in ensuring accountability. One of the principal obstacles is attributing responsibility for the hostile operation to the state violating the law. Such attachment would allow victim states (and others) to sanction the malfeasant legally, call it out politically, and possibly take operative measures against it.
A major obstacle in attaching the responsibility for a cyber operation to a state is that cyber activities are often carried out by non-state actors, such as individuals and hi-tech companies. In order for responsibility to be attached to an allegedly law-breaking state, the activities of such non-state actors must therefore first be attributed to a state. There are two principal grounds that may allow such attribution: when the direct perpetrators of the attack are organs of the state; and when the direct perpetrators are private entities acting on the instructions, or under the direction or control, of a state.
Proving that a certain cyber operation is attributable to a state requires identifying its perpetrators and attributing their conduct to a particular state. Both stages are not easy from an evidentiary perspective.
This project is part of a larger research initiative to examine the feasibility and advisability of an international attribution mechanism dedicated to hostile cyber operations. Of the myriad questions that arise in devising such a mechanism, this project deals with evidentiary requirements: who should bear the burden of proving the identity of the perpetrators and the attributability of their conduct the state, what should be the standard for proving this identity and the attributability, and what evidence should be admissible for this purpose.
The project provides an overview of the law and practice background to these evidentiary issues based on the practice of existing courts and tribunals, and examines aspects of these issues that are likely to arise specifically with regard to cyber operations. Despite the variety of dispute settlement bodies, the relative uniformity and cross-fertilization among them suggests that some general trends may be discerned.
The burden of proving a fact rests with the party wishing to rely on that fact to support its claim or defense. There have been suggestions that in some circumstances this burden should be reversed. One such circumstance, which is often the case with regard to cyber operations, is when the information is exclusively in the hands of the respondent (defendant) state, rather than in the hands of the claimant (plaintiff). However, courts and tribunal have not been receptive to this suggestion. They have, however, acknowledged that states have a duty of collaboration for the proper administration of justice, which may require them to provide information on request.
There is some debate as to the standard of proof that must be met when alleging the responsibility of a particular state for a violation of international law. There appears to be agreement that the standard may vary depending on the gravity of the allegation. However, it is not clear how gravity should be determined: Should it reflect the norm that has been violated? The harm that the violation caused? Or should it perhaps correspond to the response that the victim state wishes to take? And should cyber activities be examined under the same standards? There are those who call for the lowering of the standard, at least insofar as concerns immediate retaliatory responses that cannot be postponed so as not to lose their effectiveness, and are therefore taken when there is relatively little certainty as to the facts.
International practice suggests that there are practically no constraints on the type of evidence that may be admissible before an international court or tribunal. While not all evidence is equally reliable, it is for the courts to decide on the credibility of any specific piece of evidence. However, the characteristics of cyber operations and the means by which they are detected may raise some challenges to this flexible approach. One is that states are reluctant to divulge information as to how they obtained the evidence on which they claim to rely, citing national security interests. This raises the question of how to deal with classified evidence. Another challenge derives from the transnational character of cyber operations. Conducting investigations to identify perpetrators and their links to states is likely to involve conduct in the territory of other states (whether the allegedly responsible one or others). Such conduct may constitute a violation of another state’s sovereignty, bringing to the fore the question whether evidence that has been obtained illegally should be admissible.
Generally speaking, there is a strong argument that cyber operations should not be subject to distinct evidentiary rules. The very suggestion that such a distinction be made is mistakenly premised on the possibility of distinguishing cyber operations from “ordinary” ones. As the distinction between cyber space and physical space is gradually disappearing, applying different rules is simply impossible. At the same time, given the existing uncertainty as to evidentiary questions, the idiosyncrasies of cyber operation may have an impact on the development of general evidentiary rules. This could occur in a dedicated attribution mechanism or elsewhere. The big question remains whether cyber operations will actually reach such international mechanisms, or remain within the sphere of unilateral action by states.