Skip to main content Accessibility help
×
×
Home

The Attribution Problem and Cyber Armed Attacks

  • Lorraine Finlay (a1) and Christian Payne (a1)

Extract

In late 2018, the U.S. Secretary of Homeland Security suggested that “cyber-attacks now exceed the risk of physical attacks.” Yet the law has not kept pace with this reality. In particular, identifying who is responsible for a cyberattack makes it difficult to regulate this conduct. A state often cannot practically respond to a threat unless it knows from where the threat emanates and potentially who is responsible. Attribution of cyber conduct is critical from a legal perspective because the unlawful act must be attributable to another state for state responsibility to be engaged.

  • View HTML
    • Send article to Kindle

      To send this article to your Kindle, first ensure no-reply@cambridge.org is added to your Approved Personal Document E-mail List under your Personal Document Settings on the Manage Your Content and Devices page of your Amazon account. Then enter the ‘name’ part of your Kindle email address below. Find out more about sending to your Kindle. Find out more about sending to your Kindle.

      Note you can select to send to either the @free.kindle.com or @kindle.com variations. ‘@free.kindle.com’ emails are free but can only be sent to your device when it is connected to wi-fi. ‘@kindle.com’ emails can be delivered even when you are not connected to wi-fi, but note that service fees apply.

      Find out more about the Kindle Personal Document Service.

      The Attribution Problem and Cyber Armed Attacks
      Available formats
      ×

      Send article to Dropbox

      To send this article to your Dropbox account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Dropbox.

      The Attribution Problem and Cyber Armed Attacks
      Available formats
      ×

      Send article to Google Drive

      To send this article to your Google Drive account, please select one or more formats and confirm that you agree to abide by our usage policies. If this is the first time you use this feature, you will be asked to authorise Cambridge Core to connect with your <service> account. Find out more about sending content to Google Drive.

      The Attribution Problem and Cyber Armed Attacks
      Available formats
      ×

Copyright

This is an Open Access article, distributed under the terms of the Creative Commons Attribution licence (http://creativecommons.org/licenses/by/4.0/), which permits unrestricted re-use, distribution, and reproduction in any medium, provided the original work is properly cited.

References

Hide All

1 Kirstjen M. Nielsen, Rethinking Homeland Security in an Age of Disruption, U.S. Dep't of Homeland Security (Sept. 5, 2018).

2 UN Charter art. 2(4).

3 Id. art. 39.

4 Id. art. 51.

5 Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations 339–48 (Michael N. Schmitt ed., 2d ed. 2017) [hereinafter Tallinn Manual].

6 Id. at 300.

7 Id. at 334–37.

8 Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), Merits, 1986 ICJ Rep. 14, para. 191 (June 27) [hereinafter Nicaragua].

9 Tallinn Manual, supra note 5, at 341.

11 Dan Efrony, The Cyber Domain, Cyber Security and What About the International Law? (The Federmann Cyber Security Center).

12 Letter from Secretary of State Daniel Webster to British Minister to the United States Lord Alexander Baring Ashburton (Aug. 6, 1842).

14 William H. Taft, Self-Defense and the Oil Platforms Decision, 29 Yale J. Int'l L. 295, 299 (2004).

15 Oil Platforms (Iran v. U.S.), 2003 ICJ Rep. 161, para. 64 (Nov. 3).

16 G.A. Res. 56/83, Annex, Responsibility of States for Internationally Wrongful Acts, UN Doc. A/RES/56/83, art. 2 (Jan. 28, 2002) [hereinafter ARSIWA].

17 Tallinn Manual, supra note 5, at 84–87.

18 Id. at 94–100.

19 Christian Payne & Lorraine Finlay, Addressing Obstacles to Cyber-Attribution: A Model Based on State Response to Cyber-Attack, 49 Geo. Wash. Int'l L. Rev. 535, 536 (2018).

20 Tallinn Manual, supra note 5, at 174–76. The legal framework surrounding possible state responses to cyberattacks conducted by nonstate actors is beyond the scope of this essay, but is an issue of considerable importance.

21 Nicaragua, supra note 8, at para. 115.

22 Prosecutor v. Tadić, Case No. IT-94–1-A, Judgment, para. 120 (Int'l Crim. Trib. for the Former Yugoslavia, Appeals Chamber July 15, 1999) [hereinafter Tadić].

23 Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosn. & Herz. v. Serb. & Montenegro), Merits, 2007 ICJ Rep. 43, para. 406 (Feb. 26).

24 Tadić, supra note 22, at 120.

25 A second possibility is to extend the right to self-defence to cyber armed attacks by nonstate actors, which raises many of the same issues discussed in recent years about the use of self-defence in the context of terrorism. This issue is beyond the scope of this essay, but is worth further exploration.

26 Payne & Finlay, supra note 19, at 564.

27 Id. at 566.

28 Vincent-Joël Proulx, Babysitting Terrorists: Should States Be Strictly Liable for Failing to Prevent Transborder Attacks?, 23 Berkeley J. Int'l L. 615, 643–59 (2005).

29 ARSIWA, supra note 16, at ch. 2.

30 Jonathan Berr, “WannaCry” Ransomware Attack Losses Could Reach $4 billion, CBS News (May 16, 2017).

31 Tallinn Manual, supra note 5, at 104–11.

Recommend this journal

Email your librarian or administrator to recommend adding this journal to your organisation's collection.

AJIL Unbound
  • ISSN: -
  • EISSN: 2398-7723
  • URL: /core/journals/american-journal-of-international-law
Please enter your name
Please enter a valid email address
Who would you like to send this to? *
×

Metrics

Altmetric attention score

Full text views

Total number of HTML views: 0
Total number of PDF views: 0 *
Loading metrics...

Abstract views

Total abstract views: 0 *
Loading metrics...

* Views captured on Cambridge Core between <date>. This data will be updated every 24 hours.

Usage data cannot currently be displayed