Shared Responsibility for Cyber Operations

When the responsibility of more than one state is engaged in relation to a wrongful cyber operation, the relevant states share responsibility for it. Shared responsibility can arise, for instance, when multiple states jointly conduct a cyber operation or when one state is involved in the cyber operation of another state (e.g., by providing assistance or exercising control). In view of the persistent difficulties associated with attribution of cyber conduct, shared responsibility can be a useful analytical framework to broaden the net of possible responsible states in relation to a cyber operation.

rendition operations. 3 In the context of peacekeeping operations, domestic courts have occasionally upheld the responsibility of troop-contributing states for conduct for which the United Nations allegedly shared responsibility but could not be brought to court in view of its immunity. 4 The SHARES Project on Shared Responsibility in International Law, carried out at the University of Amsterdam, extensively researched the foundations and implications of shared responsibility, 5 and this essay draws on some of the project's findings.
Next to attribution of conduct, the second requirement to hold a state internationally responsible is that the operation must be in violation of an international norm binding on that state. 6 For instance, cyber intrusions involving sabotage or destruction of a state's critical infrastructure can amount to breach of the prohibition to use of force. 7 Other forms of cyber interference can qualify as a breach of the principle of nonintervention. 8 In the context of mass surveillance and data interception, human rights obligations with regard to privacy might be relevant. 9 This essay does not address whether a certain cyber operation qualifies as a breach of international law and therefore possibly engages responsibility. Rather, it proceeds on the assumption that a given operation breached an applicable norm and focuses on the determination and consequences of responsibility for cyber operations in situations where multiple states are allegedly involved.
The following sections explore three of the scenarios of shared responsibility most relevant in the context of cyber operations: joint conduct, aid or assistance, and lack of due diligence. Each section addresses the conditions in which shared responsibility for cyber operations can arise and the consequences entailed by shared responsibility in terms notably of reparation.

Multiple Attribution of a Joint Cyber Operation
Shared responsibility can arise when the same wrongful cyber operation is attributed to more than one state. The ILC noted in the ARSIWA Commentaries that, by application of Articles 4-11 ARSIWA, "the same conduct may be attributable to several States at the same time." 10 For instance, the conduct of a common organ or entity established by several states and acting on their behalf is attributed to each of these states. 11 Multiple attribution of conduct can also arise with respect to joint conduct, where two or more states "combine in carrying out together an internationally wrongful act in circumstances where they may be regarded as acting jointly in respect of the entire operation." 12 A joint act is attributed to each state that, acting through its own organs, coauthored the wrongful act. 13 In view of the covert nature of many cyber operations, it is unlikely that states would set up a common organ to deploy operations. The scenario of joint conduct could, however, be relevant. For instance, the Stuxnet malware deployed as part of Operation Olympic Games was reportedly developed together by American and Israeli secret agencies in "unusually tight collaboration." 14 According to the New York Times, the United States initiated the project of targeting Iranian nuclear facilities in Natanz, and Israel soon became an equal partner in developing and launching the operation. Israel "had technical expertise that rivaled" that of the United States and "deep intelligence about operations at Natanz that would be vital to making the cyberattack a success." 15 In these circumstances, it can be argued that Stuxnet was a joint cyber operation attributable to both the United States and Israel.
In situations of multiple attribution, injured parties are entitled to invoke the responsibility of each responsible state for the whole cyber operation, and can seek full reparation from each of the coresponsible states. Indeed, "responsibility is not diminished or reduced by the fact that one or more other States are also responsible for the same act." 16 In other words, states that jointly engage in a wrongful cyber operation bear joint and several liability for it. 17

Aid or Assistance to the Cyber Operation of Another State
A second scenario is that of state responsibility for aid or assistance, which arises when one state aids or assists another state in conducting a cyber operation. Under this form of derived responsibility (also referred to as "responsibility in connection with the act of another State"), 18 the assisting state is not responsible for the cyber operation as such but for the support that it provided to the operation. The question is not whether the main wrongful conduct can be attributed to several states but whether states other than the main perpetrator bear responsibility for their own conduct that contributed to or facilitated the cyber operation of another state.
Aid or assistance can take diverse forms, including tangible and noncyber forms of support that do not pose the same attribution hurdles as cyber conduct. Therefore, while the conduct of the assisting state still needs to be attributed, the element of attribution might be easier to demonstrate. Examples of aid or assistance to the cyber operation of another state could include providing technical assistance to another state, sharing (part of) malware code or other tools and techniques, gathering and sharing specific intelligence or other necessary data, or lending strategic facilities.
The conditions for responsibility for aid or assistance to another state are found in Article 16 ARSIWA, which tentatively codifies customary international law. It provides that a state is responsible for aid or assistance when it knowingly facilitates the wrongful conduct of another state. In the ILC Articles, the standard is one of actual knowledge, whereby it must be shown that the assisting state knew that its support would be used to commit a wrongful cyber operation. In addition, responsibility under Article 16 ARSIWA only arises if the assisting state was bound by the same obligation as the one that the assisted state breached. 19 These strict requirements have been criticized as excessively narrow and not reflecting practice. 20 Further, it can be noted that specific regimes of international law which include provisions on aid or assistance tend to adopt lower thresholds. For instance, in the case law of the European Court of Human Rights, responsibility for aid or assistance to human rights violations can arise when the state "knew or ought to have known" that its assistance would contribute to a wrongful conduct. 21 A comparable threshold of constructive knowledge arguably applies to aid or assistance to serious violations of international humanitarian law. 22 Whether aid or assistance to the cyber operation of another state can lead to joint and several liability is debatable. In situations of aid or assistance, the two states each commit a separate wrongful act, but their conduct together results in a harm for which reparation is sought. The ILC Commentaries affirm that "the assisting State will only be responsible to the extent that its own conduct has caused or contributed to the internationally wrongful act," 23 and that "a State should not necessarily be held to indemnify the victim for all the consequences of the [main wrongful] act, but only for those which … flow from its own conduct." 24 Yet the ARSIWA provide no indication of possible criteria for such apportionment of responsibility. Interestingly, the ILC Commentaries mention that, when an injury is "effectively caused by a combination of factors, only one of which is to be ascribed to the responsible State, international practice and the decisions of international tribunals do not support the reduction or attenuation of reparation for concurrent causes." 25 A number of authors have also argued that an assisting state could be held jointly liable together with the main perpetrator, so that the assisting state could be required to provide reparation for the whole damage. 26 The argument is particularly strong when assistance constitutes a significant or necessary contribution to the main wrongful act. 27 On the basis of the above, states providing aid or assistance to the cyber operation of another state can bear responsibility if they had actual-or possibly constructive-knowledge of the wrongful cyber operation. Further, states providing forms of assistance that are critical to the main cyber operation-for instance, an essential facility or unique technical expertise-could arguably bear joint and several liability for the damage caused by the cyber operation.

Lack of Due Diligence by a Territorial State
The third scenario analyzed in this essay is that of a state from whose territory another actor launches a cyber operation. The ICJ declared in the Corfu Channel Case that every state has an "obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States." 28 Locating the territorial origin of a cyber operation is not itself sufficient to attribute conduct to a state. 29 However, a territorial state can share responsibility in relation to the wrongful cyber operation of another state if it failed to take reasonable measures to ensure that its territory was not used by others for cyber operations. In particular, because cyber infrastructures are vulnerable to spoofing or hacking, states have an obligation of due diligence to ensure that infrastructure located in their territory is protected from covert use by other states.
As with aid or assistance, shared responsibility for lack of due diligence involves two distinct wrongful acts: the cyber operation itself and the territorial state's negligence that indirectly contributed to the realization of that operation. Cyber operations are not as such attributable to a negligent territorial state, but the failure to take action in circumstances where a state knows that its territory is used for a wrongful cyber operation engages its responsibility. The requirement of knowledge is satisfied also when the territorial state "must have known" 30 of its territory being used for wrongful cyber operations (constructive knowledge).
It would be difficult to argue that a territorial state should be liable to pay full reparation for damage caused by a cyber operation that it negligently let happen on its territory. 31 In circumstances where a territorial state is not merely negligent but also actively supports the cyber operation of another state, shared responsibility can be upheld under the framework of aid or assistance. This essay nonetheless takes the view that, depending on the degree of knowledge and good faith of a territorial state, a negligent failure could sometimes lead to an obligation of full reparation. For instance, if a territorial state has full knowledge of an ongoing cyber operation and remains inactive in addressing it, it could be argued that the territorial state is jointly liable with the main perpetrator.

Conclusion
In view of the difficulties in attributing cyber conduct to specific states, it is useful to identify when the responsibility of multiple states that are directly or indirectly implicated in a cyber operation can be engaged. Shared responsibility can allow victim states to identify the responsibility of more actors, without leading to a diffusion of responsibility. Indeed, as this essay argues, shared responsibility can entail an obligation of each responsible state to provide full reparation for the damage caused by the combination of wrongful acts.
In order to further clarify the conditions and consequences of shared responsibility, the SHARES Project has engaged in the process of drafting a set of Principles on Shared Responsibility in International Law. These Principles, expected to be finalized in 2019, will provide further guidance on the circumstances in which multiple states can be found responsible in relation to a cyber operation. 28