Table of Contents

Like the cyber domain, the world’s oceans have extensive economic and strategic benefits, and are mostly concealed from the eyes and ears of the public. Maritime shipping accounts for 90 percent of global trade, sovereign islands provide exclusive economic and strategic benefits, and undersea cables provide vital arteries for information and financial transactions between countries. The contest for these resources attracts the interest of a multiplicity of actors from private enterprises, regional governments, and global superpowers alike, and many of these players are civilian and generally peaceful. However, adversary navies, pirates, smugglers, and terrorists span a wide diversity of motivations, skills, and training, promoting an operating environment that often results in disputes. Disputed actions are complicated by their technical nature and the uncertainties around discovering intended purpose and controlling entities. Like searching for stealthy naval platforms, cyber adversary detection is difficult, much of the activity is confidential, and norms are challenging to enforce. Unlike the maritime domain’s established legal history, cyber law and policy is still in development; at the same time, governments and private sectors struggle to understand and enforce stabilizing rules and norms. This examination of public and private attributions through various channels in the maritime domain offers strategic takeaways for policy development and conflict resolution in cyberspace.

Conflict Resolution

International Law and Maritime Norms

Developing maritime technology in the early twentieth century encouraged transnational competition for resources in and control of the oceans. During this time, strategic public attributions of conflicts over territorial incursions and economic activity functioned to develop an international consensus. Recognizing the need to establish international maritime law from these norms, 168 member states of the United Nations ratified the United Nations Convention on Law of the Sea (UNCLOS). UNCLOS serves as the legal framework that denotes maritime sovereignty and provides guidelines for naval activity. Although the United States signed the agreement, it was never congressionally ratified.1 The majority of economic actors abide by the rules to mutual benefit, but some naval and malicious actors openly defy them. Absent the legal structure to prosecute these violations, UNCLOS regulations more resemble international standards that can be disobeyed with little consequence. Despite these imperfections, UNCLOS is fundamental to free trade and personnel safety, but more importantly it is the foundation for supplementary bilateral agreements providing attribution channels for conflict resolution. In this manner, we can draw a parallel to the developing cyber environment; there are few customary international laws specifically regulating cyberspace, and increased public attributions to cyber attacks draw international attention to the increasing disparity between existing law and cyber capabilities.

Scott Collard
Scott Collard is a nonresident scholar in the Cyber Policy Initiative at the Carnegie Endowment.
More >

Defined cyberspace norms that mirror UNCLOS regulations are still in development. Institutions such as the UN Group of Governmental Experts (GGE) and Open-Ended Working Group (OEWG) agree that international law applies to the cyber domain. However, established legal principles are difficult to apply to new technological innovation. Reports by the GGE and OEWG recognize the challenges with attributing unacceptable cyber behavior but lack the specifics of suitable enforcement. Without baseline norms, these reports fall short of the regulations that UNCLOS provides the maritime domain. Even so, every member of the GGE, including the United States and China, has agreed that “international law . . . is applicable and essential to maintaining peace and stability, and promoting open, secure, stable, accessible, and peaceful ICT environment.”2 Recognizing the need for “deepening common understanding on how international law applies to State use of ICTs,” states are advised to settle disputes with “peaceful means such as negotiation, mediation, conciliation, arbitration, or judicial settlement” by “regional agencies or arrangements.”3 As the international community constructs the framework for responsible behavior in cyberspace, states can independently define attribution mechanisms for acceptable and legal cyber activity in a manner that protects economic interests, national security, and state sovereignty.

Previous maritime conflict resolutions provide models for directing U.S.-China cyber attributions. During naval actions in the 1960s, military ships and aircraft would regularly perform unsafe maneuvers called “bumping,” in which a civilian or military platform radiates, blocks, or collides with another at high speed. These interactions often take place in crowded shipping lanes and are accompanied with simulated attacks. Some of these maneuvers are intended to discover protocol vulnerabilities, while some are purely antagonistic. These dangerous maneuvers were responsible for numerous deaths and collisions involving military and commercial vessels at the height of the cold war. U.S. and Soviet officials recognized the growing dangers of these unprofessional encounters, and following negotiations signed the Incidents at Sea Agreement (INCSEA) of 1972, the first of many similar bilateral agreements with consultative exchange mechanisms synergistic to UNCLOS. This joint international accord outlines and prohibits dangerous behavior at sea while establishing an instrument for government representatives to review and address disputes. Notably this agreement calls for 1) preliminary notice for potentially dangerous activities, 2) respective attaché channels to reconcile disputes, and 3) annual meetings that review agreement implementations.4 The private consultation channels provided enforcement to UNCLOS regulations, and decreased government pressure to respond publicly to incidents. Today, these activities are predominantly curtailed, and infrequent occurrences like the 2001 bumping incident between a U.S. Navy surveillance aircraft and a Chinese Navy interceptor jet are resolved diplomatically, despite disagreement over the responsible nation.5

Cyber bumping could be referred to today as a number of harmful cyber attacks targeted daily against both governments and private entities. Increasingly aggressive operators cause more and more economic and social damage, as captured by the public attributions from both U.S. and Chinese officials in 2021.6 Just as the GGE representatives agree that international law applies to ICT, they also report an increase in significant cyber incidents, suggesting that public attributions in their present state are ineffective in curtailing unwanted activity,7 and highlight the opportunity for attribution channels that allow for peaceful operations while largely avoiding inadvertent conflicts. Notably, the mechanisms of INCSEA agreement models are used to resolve transboundary disputes across numerous international and economic associations, and mechanisms for cyber attribution will likewise reflect varying international relationships.8

Individual Actors

Following the establishment of norms and legal structures in place to monitor cyberspace, violations or even accidental incursions are foreseeable. Negligent government actors, cyber criminals, and opportunistic attackers will defy policies and norms. How should national governments handle these isolated but inevitable incidents? The maritime domain again offers a useful model to replicate.

Individual entities are the most accountable for their cyber or navigational security. In international waters, distinct units (ship captains, aircraft commanders) handle most norm violations with predefined procedures designed to prioritize safety and deescalate aggressive situations. For dangerous or antagonizing behavior, such as vessels in proximity or intentional posturing of weapons systems, UNCLOS protocol requires immediate and unit-directed public attribution while simultaneously recording the details of the incident, increasing defensive postures, and maneuvering for safety. This initial attribution details the suspect’s identity and location on a public network, so that nearby entities can independently assess potential hazards and take defensive measures, and the accused unit is given an opportunity to correct unintentional behavior. The accusing unit then reports this violation to its controlling authority, continuing its operations without offensive response.

Controlling agencies use these activity reports to communicate their grievances to an international counterpart, in the form of private attribution, providing technical incident details as part of a forensic investigation. The sector commander provides the accused entity the option to resolve their transgression before electing to deploy countermeasures, such as prohibiting port entry or imposing fines against the violating ship’s controlling agency. During these private bilateral discussions, agencies can sort out technical failures and human error from deliberate actions approved by controlling policy or doctrine. In this manner, mid-level authorities can reprimand unsanctioned activity such as a specifically maverick pilot or negligent ship captain without further escalation, or forward dangerous adversary policies to higher authorities. In many cases, nations withhold evidence that would disclose secret capabilities. This sensitivity necessitates a significant level of trust and fair-minded analysis of the evidence presented. Private channels are most likely to encourage this rapport, even when follow-on public disclosure is necessary for cost imposition or indictments.

Governments need defined channels to address cyber incidents. While some nations rarely attribute publicly, others attribute often but inconsistently. Research demonstrates that U.S. public cyber attributions are inconsistent in timing, entity, language, channel, and retribution.9 In the absence of defined policies and agreements, this ad hoc approach diminishes stabilizing effects of public attribution by appearing politically motivated or unfounded to the accused state. Additionally, U.S. public companies do not always confer with the government prior to attribution, which can create a confusing and unhelpful event narrative. Conversely, the absence of attribution suggests that nations are more apt to retaliate instead of imposing costs via legal or diplomatic means. Despite these varied attribution approaches, large-scale cyber attacks that cause significant damage to infrastructure, economic interests, or national security are increasing in frequency, and compel a consistent public and private attribution process supported by evidentiary presentation and transparent cost imposition. Signing formal agreements that build direct communication channels between adversaries appears daunting, but the precedent of maritime cooperation during the Cold War and present-day territorial contests in the western Pacific confirms that they are both possible and necessary. These communication channels for attributing cyber incidents free government entities to handle minor attacks within their jurisdictions, avoiding escalating and non-useful public outcry, and encourage nations to correct rather then defend impermissible cyber activity.

How would a cyber attribution channel function? The maritime environment offers a compelling starting point, but here the greater complexity of cyberspace provides unique challenges. The attribution channels could resemble those agreed to under INCSEA, where designated government officials meet yearly to address grievances and issue reprimands. Government representatives can also review actions taken to correct previous complaints and demonstrate progress. But the cyber domain presents new challenges not replicated in the maritime domain, including the diversity of actors, lack of legal structure, and potentially zero-sum competitions. Because of this, cyber attribution channels should be enforced by global institutions and courts, and they must provide accountability. Cyber enforcement may take form as a hybrid of maritime structures and existing precedent such as the dispute settlement system within the WTO—where no judgment is passed during consultations. However, like in the development of UNCLOS and INCSEA, the UN and other governing bodies must be proactive in developing even imperfect solutions so that cyber law precedents and conflict resolution can develop and flourish.

Adversary Detection and Characterization

Most surface activity in the maritime environment is economic, and these vessels prefer to be discovered and identified quickly to comply with maritime rules that ensure safe navigation. Because visual or electronic signatures can be nominal, technologies such as the Automatic Identification System (AIS) and Identify Friend or Foe (IFF) are used for identification in the maritime domain—but these signatures can be falsified, and these actions face harsh penalties on discovery. Similarly, cyber actors can hide their identities using IP address masking via virtual private networks, or with stolen information from a phishing scheme. So how should cyber governance consider activity that is designed to be unseen? The maritime domain again offers a useful starting point.

Submarine and cyber technology present similar detection and characterization challenges, and offer insights into attribution methods that best serve national interests. Submarines revolutionized naval warfare by introducing the ability to remain undetected. Like cyber actors, this advantage makes them a strategic asset for missions of intelligence gathering, surveillance, and electronic attack. Submarine detection relies on technical clues including electromagnetic frequencies, equipment signatures, platform type, location, and tactical methods to characterize and interpret intent. Further complicating identification, foreign-produced submarines can belong to a host of supplied countries. When submarines are successfully discovered, knowing their production nationality, type, class, and objectives is an imperfect process with varying confidence levels. Additionally, nations are disinterested in presenting detection evidence to protect secret capabilities. In spite of these challenges, national defense prerogatives require nations to act even with imperfect confidence on the characterization of the attack, and article 51 of the UN charter extends self-defense rights to imminent network activities that constitute an armed attack, or imminent threat thereof.10


Nations that respectfully cooperate to address malicious cyber activity are better off. Due to their classified nature, nations are quick to deny responsibility when faced with public attributions for cyber or maritime activity. However, the proliferation of cyber actors and the increasing cost of damages compel countries to take defensive actions on these forensic discoveries. Successful conflict resolution processes require nations to collaborate with public information and evidence to determine the attacker’s sponsoring organization and motivations prior to public accusation, which helps to disseminate the burden of proof. In the eyes of the international community, these collaborative methods reinforce subsequent public attributions in the event the undesired activity continues.

Public attribution plays an important part of a structured, diplomatic approach to resolving conflict in cyberspace, but requires established mechanisms and norms for proper efficacy. This chapter uses the precedent of the maritime domain to make three recommendations for the development of international cyber policy.

First, UNCLOS success highlights the need for international agreements to define and enforce norms in cyberspace. These multilateral negotiations must define server boundaries, classify prohibited targets such as critical infrastructure or intellectual property, and categorize appropriate protocols for addressing unwanted cyber behavior.

Secondly, nations must establish channels for addressing cyber incidents privately before public attributions are required for cost imposition. A stable cyber domain requires intergovernmental mechanisms that can quickly and privately address unwanted behavior at the appropriate public or private level, bounded by a treaty or formal agreement.

The third recommendation contrasts with the elusive nature of submarine activity; private attributions of suspected state-sponsored attacks encourage accused states to police their own cyber infrastructure and hinder illicit nonstate actors, especially on the states’ indigenous software and servers. Defining and enforcing cyber norms, maintaining interagency mechanisms of private attribution, and transparent internal policies are attribution models from the maritime domain that can deliver stability in cyberspace.


1 “Law of the Sea Convention,” U.S. Department of State, accessed February 28, 2022,

2 “Final Substantive Report,” conference room paper, Open-Ended Working Group on Developments in the Field of Information and Telecommunications in the Context of International Security, UN General Assembly, March 10, 2021.

3 Ibid.

4 “Incidents at Sea Agreement,” U.S. Department of State, signed May 1972, accessed February 28, 2022,

5 Elizabeth Rosenthal with David Sanger, “U.S. Plane in China After It Collides With Chinese Jet,” New York Times, April 2, 2001,

6 “The United States, Joined by Allies and Partners, Attributes Malicious Cyber Activity and Irresponsible State Behavior to the People’s Republic of China,” White House, July 19, 2021,; and Steve Holland and Doina Chiacu, “U.S. and Allies Accuse China of Global Hacking Spree,” Reuters, July 20, 2021,

7 “Protecting People in Cyberspace: The Vital Role of the United Nations in 2020,” Global Forum on Cyber Expertise, Microsoft, December 2019.

8 “Bilateral Military Agreements Between NATO Member States and the Soviet Union on the Prevention of Incidents,” European Leadership Network, accessed on February 28, 2022,

9 Heajune Lee, “Strategic Publicity?: Understanding US Government Cyber Attribution,” thesis, Stanford Digital Repository, Spring 2021,

10 Harold Koh, “International Law in Cyberspace,” Harvard International Law Journal Online 54 (December 2012). Accessed at