Table of Contents

Three Lenses to Interrogate Public Attribution

After a state—either its government or the private businesses therein—suffers a malicious cyber operation by a foreign actor, it is tempting to identify and publicly blame whoever it believes is responsible for the attack. Such cyber attribution efforts entail three generally recognized considerations, which stem from technical, political, and legal perspectives, respectively.

First, the attributing state must technically understand what happened and describe the truth as much as it can. The creation of a factual foundation for attribution is, in large part, a forensic process through signals intelligence to trace the malicious cyber activities back to a machine or a location. Yet pinning down the human actors who physically conducted the operation behind the screen often requires intense corroboration from human intelligence as well; it goes without saying that the ultimate establishment of responsibility falls within the purview of law. States’ capabilities in this regard are far from evenly distributed,1 which will inevitably lead to an asymmetric pattern of attribution practices. Empirical data shows that technically capable states tend to use public attribution more frequently, with their envisaged adversaries fixed on the receiving ends.2

Second, after the state has attained a certain level of confidence that it knows the source of a malicious cyber operation, it then has a series of political decisions to make—such as whether, when, and in what form to publicly hold the actor accountable, or whether to call for coordinated action from allies. This political decisionmaking is, of course, “a highly complex process which requires trade-offs of multiple considerations.”3 The accusing state may take into account a complex matrix of political pursuits, including: to show accountability to a domestic constituency; to name and shame the accused; to signal for the purpose of effective deterrence; to serve as a window to observe possible reactions from the accused state; to hold a state legally responsible and to justify possible measures in response; or to signify a redline that the accusing state wants to draw in service of its efforts to establish norms. Simply put, a state’s decision as to the timing, the seriousness, and the form of an attribution represents the final trade-off after a comprehensive evaluation over domestic pressure and interstate relations. In this sense, attribution is ultimately political.

Fan Yang
Fan Yang is an assistant professor of law and the deputy director of the Cyberspace International Law Center in the School of Law at Xiamen University.

Third, from a legal perspective, attribution means imputation by connecting the offense to an offender according to applicable rules, either domestic or international. For the purposes of this chapter, domestic imputation—such as indictment or sanctions against foreign individuals—is left undiscussed; specific focus is put on the intention to establish state responsibility as per applicable international law. Under this premise, legal attribution can legitimize future responding measures, such as self-defense or other countermeasures the accusing state may take, depending on the nature and severity of the original malicious cyber operations. Ideally, the international legal system should provide clear guidance for attribution. However, as will be discussed, the current body of international law is seriously inadequate on this issue.

It’s worthy noting that states may still publicly accuse others of conducting unwanted cyber operations regardless of any clear legal basis for doing so. For example, the United States officially holds that political attribution in the form of official announcements does not require meeting any legal standards in the strict sense.4 This reflects the complexity embedded within public attribution practice as to its diversified form and purpose. Since this chapter specifically focuses on the intention to hold an accused state responsible under international law, the appropriateness of examining an attribution according to technical, political, and international legal criteria should be clear.   

The Problem With Ill-Substantiated Public Attribution

Compared to attribution that is confidentially processed and privately communicated, it’s only logical that public attribution should be better supported. To the very contrary, however, public attribution is particularly susceptible to the problem of ill-substantiation—if not the absence of substantiation at all. The fundamental cause is that—to use the language of the three lenses analytical framework—the political desire to publicly blame an adversary state cannot be properly checked and balanced due to technical imparities and the lack of legal restraints. Under strong political impetus to publicly blame its adversary, the technically capable state seems to enjoy taking advantage of the lawless status quo.

The term “ill-substantiated public attribution” refers to a subcategory of reckless public denouncements that assign responsibility for a malicious cyber operation to a state without a solid legal logic of imputation or any adequate accompanying evidence. It’s a problem with a moving scale, rather than a simple yes-or-no judgment. Around this concept, two illustrating points are necessary.

First, the appropriate level of substantiation should match the purpose and form of public attribution.5 Think of an extreme case, for example, in which a state is held publicly responsible for carrying out cyber operations that amount to an armed attack,6 activating the victim state’s right to self-defense. Obviously, such a claim is subject to challenge unless it can be unequivocally supported.7 A comparable situation is when there is a breach of general international legal obligation, say, of nonintervention, and the accusing state aims to establish responsibility that can justify its future countermeasures. The requirement to support this latter claim should be accordingly downsized.

Second, ill-substantiated public attribution has also instigated normative contentions among states. Since 2015, China, Russia, and other countries have consistently held the position that accusations must be substantiated.8 The United States and the UK, among others, are firm advocates of the position that international law does not require disclosure of evidence to support accusations; states can, thereby, “act reasonably under the circumstances.”9

This chapter does not contend that public attribution per se is necessarily a problem; rather, it argues that ill-substantiated public attribution is both unhelpful in securing the political pursuits of the accusing state and potentially detrimental to an orderly cyberspace. To list a few issues:

  1. Ill-substantiated public attribution is ineffective for the purpose of deterrence because it’s a cheap—and thus less convincing—form of signaling that is insufficient to legitimize possible responding measures.
  2. Naming and shaming is unlikely to work as anticipated by the accusing state because reckless finger-pointing may be interpreted as slandering and defamation.
  3. Public attribution is treated as a policy tool to ease domestic pressure to react against a foreign malicious cyber operation. But an ill-substantiated—and thus unhealthy—public attribution may breed populism, which will in turn squeeze the policy space.
  4. The current asymmetrical pattern of ill-substantiated public attribution is structurally destabilizing because a constantly accusing state may make it normal to point fingers without enough substantiation, while a constantly accused state will grow increasingly resentful and eventually erupt.
  5. Ill-substantiated public attribution contributes little—if not being outright detrimental—to norm-building, as it relies on the vacuum of applicable rules.

Legal Deficiencies That Encourage Ill-Substantiated Public Attribution

State responsibility arises when there is a breach of international obligation that can be attributed to the state per international law.10 Apart from another long-recognized problem regarding the lack of primary rules on cyber obligations, ill-substantiated public attribution is enabled and encouraged by the legal deficiencies in the current body of international law that relates to attribution. The deficiencies are threefold:

  1. International rules for attribution are inadequate to cope with cyber scenarios.
  2. International legal evidence requirements are underdeveloped in general and insufficient for cyber in particular.
  3. Legal consequences for making factually incorrect or wrongful public attributions are not clearly defined.

Attribution Rules

The International Law Commission’s (ILC’s) draft Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA),11 especially articles 4 through 11, represent a fine codification of customary international law on attribution rules. Linking state organs’ activity to that state, per ARSIWA stipulations, proves to be less troublesome; it’s a different story when it comes to evaluating state responsibility for activities conducted by nonstate actors. Unfortunately, most of the situations that concern cyber attribution are in the latter camp. To address the issue of linking a nonstate actor’s behavior to a state, existing proposals de lege lata are quite controversial. Two, respectively regarding control test and due diligence, will be examined below.

Regarding the legal standard of the level of control required for attribution to occur, the generally recognized approaches are:12 the “effective control” test devised by the International Court of Justice (ICJ) in Nicaragua v. USA,13 and the “overall control” test developed by the International Criminal Tribunal for the Former Yugoslavia Appeals Chamber in the Prosecutor v. Tadic decision.14 Some argue that the overall control test should prevail in scenarios of cyber attribution because the effective control test is far stricter and thus may function as “a free pass to state sponsorship of cyberattacks.”15

This proposal is not a suitable solution for two reasons.16 First, both the test standards focus on the level of control a state exerts over the non-state actor—thus, they cannot cover cases of attribution when the malicious cyber activities suggests no obvious evidence of control. Second, the overall control standard was explicitly confined to “organized and hierarchically structured groups” such as military or paramilitary units;17 as a matter of juridical fact, the stricter effective control test has been upheld in determining attribution concerning the acts of individuals or nonorganized groups.

Considering how difficult it is to persuasively demonstrate that a state is effectively or generally controlling a nonstate entity, an alternative would be to hold states responsible for regulating or preventing malicious cyber operations within their jurisdictions. This is captured by the tendency to incorporate into the international legal principle of due diligence—first recognized by the ICJ in United Kingdom v. Albania, also known as the Corfu Channel case18—into cyber scenarios. But should we treat cyber due diligence as a primary rule of international obligation over state conduct or as a secondary rule to determine violation? There are competing viewpoints.

The Tallinn Manual 2.0 on the International Law Applicable to Cyber Warfare defines “due diligence” as a substantive obligation;19 the United Nations Group of Government Experts (UN GGE) report endorses this approach with similar wording.20 Per this understanding, the original task of attributing malicious cyber operations to a territorial state no longer requires an answer. A new task of legal estimation emerges: whether there is a breach of due diligence obligation. To satisfy this test, it must be proven that the original cyber operation stems from within the territorial state; that it causes serious, adverse consequences about which the territorial state has actual or constructive knowledge; and that the territorial state can but fails to take all feasible measures. Moreover, the original cyber operation must constitute a breach of international obligation should it be conducted by the territorial state.21

Turning to the minority approach of due diligence as an attribution rule, the identification of the actual author shifts to the state territory where the malicious cyber operation originated. According to such “indirect” or “imputed” attribution,22 a state is deemed to be responsible for the cyber operation harming another state rather than for a breach of its due diligence obligation. This unorthodox approach seems a bit excessive. It’s no wonder the UN GGE report specifically emphasizes that “the indication that an ICT [information and communications technology] activity was launched or otherwise originates from a State’s territory or from its ICT infrastructure may be insufficient in itself to attribute the activity to that State.”23

In light of these contending viewpoints, misusing and abusing due diligence to forge a legal argument to back up public attribution claims could facilitate ill-substantiation. It’s thus important to reiterate the following points. First, due diligence, if imported to the cyber scenario, should be better understood as setting an obligation for a state rather than serving as a way to attribute. Second, the actual occurrence of a harmful cyber incident, which would have been unlawful if conducted by a potentially responsible state, is a prerequisite for the injured state to claim a due diligence violation. Third, even if state responsibility is successfully established along the legal path of due diligence, the responding measures that the accusing state might legitimately take should proportionately reflect the fact that the accused state did not conduct the malicious activities but, less harmfully, failed to address them with all feasible measures.

Evidentiary Requirements

General international law has not developed a set of clear rules or consistent guidelines on evidence. Key evidentiary issues such as burden and standard of proof are normally dealt with on an ad hoc basis. For cyber disputes, such ambiguity can be interpreted as a loophole that allows states to carry out malicious cyber activities without consequence; or it can be interpreted as an opportunity that allows states to sometimes make attributions recklessly.

Of those two evidentiary issues, burden of proof is less controversial. It is generally recognized that in “a bilateral dispute over State responsibility, the onus of establishing responsibility lies in principle on the claimant State.”24 Yet, somehow, a shift of the burden of proof has been mentioned as a mechanism specifically tailored for cyber attribution, sometimes referred to as a “virtual control” test.25 The main argument behind this idea is that in cyber disputes, the origin state for the alleged misbehavior has better access to the knowledge necessary to establish certain facts. This would probably cause more trouble than it intends to solve,26 as the prima facie responsibility of the accused state would be established with a shift of the burden of proof.

Regarding the standard of proof, a comparative assessment of international litigation can identify at least four different levels. In ascending order, these are:

  1. The prima facie possibility, which requires only indicative evidence of the claim.
  2. A preponderance of evidence, which concerns mainly the balance of probabilities of the two sides.
  3. The “clear and convincing” standard, which requires the party to prove the factual claims are substantially more likely true.
  4. Proof beyond reasonable doubt, which requires a full chain of evidence weighing together heavily toward one direction that is virtually indisputable.27

With some room for debate, ICJ cases and state practices support the “clear and convincing” standard for self-defense cases.28 For disputes with lower-level severity, a generally accepted principle—although without any specifics—is that evidentiary standards should vary along a sliding scale based on the severity of the offense. Extant cases that adopt the “preponderance standard” are mostly regarding territory disputes, which rarely involve state responsibility.29 From these premises, two deductions can be safely made. First, the adequate level of evidence for cyber public attribution should lie around the “clear and convincing” standard. Second, in any event, sufficient evidence to allow crosschecking can be a proper guideline.30

Some may disfavor setting an evidentiary standard. They may argue that the assessment of the adequacy of evidence is only meaningful in a legal forum, but most cyber public attribution cases won’t ever go through litigation. This seemingly realistic viewpoint neglects the fact that clarity about the amount and quality of evidence has its merits. According to Kristen Eichensehr, “Even if setting an evidentiary standard decreases the total number of public attributions, having fewer credible attributions is preferable to having a greater number of ill-founded or erroneous attributions.”31

Another opposing viewpoint is that it is hard to reconcile the evidentiary requirement on cyber attribution on one hand with the necessity to make a timely attribution on the other.32 This dilemma indeed exists. It should be subject to careful evaluation in specific contexts. But challenges in collecting and exhibiting evidence should not excuse evidence-less accusations.

Erroneous Attribution

If a state makes a cyber attribution with facts that turn out to be erroneous—or, even more seriously, if it carries out self-defense or countermeasures against an accused state based on ill-substantiated allegations—what legal consequences should the accusing state face? Underdevelopment of this legal issue provides extra room for ill-substantiated public attribution because no foreseeable punishment exists for irresponsible or erroneous allegations.

To begin with, it’s safe to infer that once the attribution proves to be based on false facts, the international wrongfulness of the subsequent self-defense or countermeasure adopted by the accusing state cannot be unquestionably eliminated. In other words, the accusing state may be held responsible for taking unjustified steps.

If the accusing state argues that it has used its best judgment and built its case for attribution on all then-available evidence in good faith, could claims of “reasonableness” and “honesty” exonerate its false judgment? Positive view is echoed by some scholarly papers,33 as well as official statements.34 For example, the Tallinn Manual explicitly asserts that “the exercise of the right of self-defense . . . is subject to the existence of a reasonable determination that an armed attack is about to occur or has occurred, as well as to the identity of the attacker. This determination is made ex ante, not ex post facto. Their reasonableness will be assessed based upon the information available at the time they were made, not in light of information that subsequently becomes available.”35

Opposite views opine that with good faith or not, wrongful attribution in the first place will nonetheless make subsequent measures the fruit of a poisonous tree. The ILC holds that if, during an ex post examination, the attribution turns out to be wrongful because of errors in ex ante factual assessment, the mistaken state may be subject to responsibility whether its agents acted in good faith or not.36

Lastly, what if the accusing state makes a public attribution that later proves to be wrong, but it did not take concrete measures originally? Although the accused state does not suffer from the responding measures, harm to its fame and reputation has still been inflicted. Under such circumstances, should the accusing state be held partially responsible for the false attribution (which might have been intentional)? Would not holding it responsible encourage more ill-substantiated public accusations? This issue deserves more international discussion.

Toward a Norm on Responsible Public Attribution

Against the challenges posed by ill-substantiated public attribution, tentative solutions should be sought along the three lenses analytical framework, with due considerations paid to the technical, political, and legal dimensions. As this chapter focuses on the legal lens, an international norm on responsible state behavior in public attribution thus seems to be a possible way forward.

In this regard, the UN GGE has provided a sound basis by repeatedly emphasizing in its final reports that “the accusations of organizing and implementing wrongful acts brought against States should be substantiated.”37 Righteous in its nature, though, this norm only points out the need for accusations to be substantiated but fails to elaborate how. Vis-à-vis the legal deficiencies previously discussed, a norm on responsible public attribution should embody the following points.

Starting with an out-of-the-box thought and a preliminary norm: states should make a formal request of consultation before making cyber attribution public; such consultation should be mandatory, confidential, and within a time limit. Such minor improvements to the process have proved to be rather useful in cutting down interstate disputes in other fields of international law, such as the World Trade Organization dispute settlement mechanism.38 If a similar mechanism exists in cyber conflict, the accusing state then has a way to consult privately with the accused state, seeking to have its interests met without forcing the latter into an awkward position. Most importantly, the substantiation problem may not be that contentious at this stage.

In a combined norm on the rules of attribution, evidentiary requirements and legal consequences of erroneous attribution could be termed as:

  1. A state cannot be held responsible under international law solely because a problematic ICT activity was launched or otherwise originated from its territory or from its ICT infrastructure.
  2. A state should substantiate its public attribution with an adequate level of evidence for crosschecking, by default to the extent of establishing a clear and convincing case, depending on the purpose and severity of its claim.
  3. A state should refrain from taking responsive measures based on public attribution that has been inadequately substantiated, and it may take corresponding responsibility for making an erroneous or falsified attribution.

Before ending this chapter, it should be mentioned that entities other than states can also publicly attribute blame for a cyber operation, but for different aims and subject to different rules, if any. Private corporations, usually cyber security firms, may aim to enhance their influence, cultivate market demands, and ultimately cash out by selling products, services, and solutions on cybersecurity. Media may simply want an eye-catching story and may be easily manipulated by customized feeds of source information provided by enterprise or state organs. Since it falls outside of the purview of international law, the ill-substantiated public attribution problem with these entities merits a separate piece of analysis.

Notes

1 Florian Egloff, “Public Attribution of Cyber Intrusions,” Journal of Cybersecurity 6, no. 1 (Fall 2020): https://academic.oup.com/cybersecurity/article/6/1/tyaa012/5905454.

2 For chart illustrations covering the period of 2015–2020 verifying this deduction, see: Garrett Derian-Toth et al., “Opportunities for Public and Private Attribution of Cyber Operations,” Tallinn Paper Series no. 12 (2021): 8–9. Not surprisingly, top five countries that made the most use of public attributions are all from Five Eyes alliance, and China, Russia, Iran and North Korea have been identified as the responsible actors for 75 percent of all state-sponsored offensive cyber operations.

3 Florian J. Egloff and Max Smeets, “Publicly Attributing Cyber Attacks: A Framework,” Journal of Strategic Studies (Spring 2021): https://www.tandfonline.com/doi/full/10.1080/01402390.2021.1895117.

4 “A Guide to Cyber Attribution,” U.S. Office of the Director of National Intelligence, September 14, 2018, https://www.dni.gov/files/CTIIC/documents/ODNI_A_Guide_to_Cyber_Attribution.pdf.

5 Some have noted that different purposes of public attribution relate to different levels of evidence. See: Kristen Eichensehr, “The Law & Politics of Cyberattack Attribution,” U.C.L.A. Law Review 67, no. 3 (July 2020): 19–36, https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3453804.

6 It is a long-debated question as to when does cyber operations fall within the meaning of “armed attack” in the language of Article 51 of UN Charter. See, for example, Priyanka Dev, “‘Use of Force’ and ‘Armed Attack’ Thresholds in Cyber Conflict: The Looming Definitional Gaps and the Growing Need for Formal U.N. Response,” Texas International Law Journal 50, no. 2 (2015): 381–401.

7 Lorraine Finlay and Christian Payne, “The Attribution Problem and Cyber Armed Attacks,” American Journal of International Law Unbound, 113, (2019): 202–6.

8 United Nations, General Assembly Draft Resolution, “Developments in the Field of Information and Telecommunications in the Context of International Security,” para. 10, U.N. Doc. A/C.1/73/L.27, October 22, 2018, available at: https://undocs.org/A/C.1/73/L.27.

9 Quoted phrase appeared in the first statement of the U.S. position on evidentiary issues, See: Brian J. Egan, “International Law and Stability in Cyberspace,” Berkeley Journal of International Law, no. 35, (2017): 177. Regarding legal underpinnings of evidentiary issues in cyber attribution, “the U.S., British, French, and Dutch efforts to block the development of customary international law on attribution” have been criticized as “shortsighted.” See: Eichensehr, “The Law and Politics of Cyberattack Attribution,” 521–98.

10 “Draft Articles on Responsibility of States for Internationally Wrongful Acts, With Commentaries,” UN International Law Commission, 2001, https://legal.un.org/ilc/texts/instruments/english/commentaries/9_6_2001.pdf.

11 “Responsibility of States for Internationally Wrongful Acts,” United Nations General Assembly, A/RES/56/83, January 28, 2002, available from https://undocs.org/en/A/RES/56/83.

12 James Crawford, State Responsibility: The General Part (Cambridge: Cambridge University Press, 2013), 146–54.

13 Case Concerning Military and Paramilitary Activities in and Against Nicaragua (Nicar. v. U.S.), 1986 ICJ Merits, ICJ Report.

14 Prosecutor v. Tadic, Appeals Chamber, Decision on the Defence Motion for Interlocutory Appeal on Jurisdiction, ICTY-94-1-AR72, 1995.

15 Scott Shackleford and R. Andres, “State Responsibility for Cyberattacks: Competing Standards for a Growing Problem,” Georgetown Journal of International Law 42 (2010): 971, 987.

16 Henning Lahmann, Unilateral Remedies to Cyber Operations: Self-Defence, Countermeasures, Necessity, and the Question of Attribution (Cambridge: Cambridge University Press, 2020), 88.

17 Prosecutor v. Tadic, paras. 131, 137.

18 The Corfu Channel Case (United Kingdom v. Albania), 1949 ICJ Merits, ICJ Report, https://www.icj-cij.org/en/case/1.

19 Michael N. Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, 2nd ed. (Cambridge: Cambridge University Press, 2017), Rule 6.  doi:10.1017/9781316822524. The rule reads: “State must exercise due diligence in not allowing its territory, or territory or cyber infrastructure under its governmental control, to be used for cyber operations that affect the rights of, and produce serious adverse consequences for, other States.”

20 “Report on Advancing Responsible State Behavior in Cyberspace in the Context of International Security (Advanced Copy),” UN Group of Governmental Experts, May 28, 2021, Norm 13(c). The norm reads: “States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs.”

21 This last element may get us back to the dilemma of lack of primary rules on cyber obligations.

22 Lahmann, Unilateral Remedies to Cyber Operations, 91.

23 See: “Report on Advancing Responsible State Behavior in Cyberspace in the Context of International Security (Advanced Copy),” UN Group of Governmental Experts, para. 71(g).

24 “Draft Articles on Responsibility of States for Internationally Wrongful Acts, With Commentaries,” UN International Law Commission, commentaries, Chapter V, 8.

25 Peter Margulies, “Sovereignty and Cyberattacks: Technology's Challenge to the Law of State Responsibility,” Melbourne Journal of International Law 14 no. 155 (Winter 2014):  296.

26 Lahmann, Unilateral Remedies to Cyber Operations, 93–97.

27 Ibid., 71.

28 Eichensehr, “The Law & Politics of Cyberattack Attribution,” 559–62.

29 See, for example, the Land, Island and Maritime Frontier Dispute (El Salvador/Honduras), ICJ Judgment of September 11, 1992, para. 248; see also, Sovereignty over Pedra Branca/Pulau Batu Puteh, Middle Rocks and South Ledge (Malaysia/Singapore), ICJ Judgment of May 23, 2008, para. 86.

30 See: Eichensehr, “The Law & Politics of Cyberattack Attribution,” 576–86.

31 See: Eichensehr, “The Law & Politics of Cyberattack Attribution,” 571–72.

32 Thomas Rid and Ben Buchanan, “Attributing Cyber Attacks,” Journal of Strategic Studies 38, nos. 1–2, (2015): 32.

33 See, for example, MJ Sklerov, “Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States Who Neglect Their Duty to Prevent,” Military Law Review, no. 201 (2009): 1.

34 See, for example, Presidential Policy Directive/PPD-20, White House, October 2012, p. 7.

35 Schmitt, Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, 2017, Rule 71, para. 23.

36 “Draft Articles on Responsibility of States for Internationally Wrongful Acts, With Commentaries,” UN International Law Commission.

37 See, for example, “Report on Advancing Responsible State Behavior in Cyberspace in the Context of International Security (Advanced Copy),” UN Group of Governmental Experts, para. 71(g).

38 “Understanding on Rules and Procedures Governing the Settlement of Disputes,” World Trade Organization, annex 2 of the WTO Agreements.