- University of Amsterdam -
The ILC Articles on State Responsibility in the digital age: properly equipped for a rapidly modernising society?
Examining the application of the framework for attribution of conduct in cyberspace
Master thesis International and European Law
Name: Joost de Vries
Student number: 11420561
Email: jdv93@live.nl
Track: Public International Law Supervisor: Dr. N. Nedeski
Table of contents
Abstract 2
Introduction 4
Chapter 1: The law of State Responsibility 5
1.1 The ILC Articles 5
1.2 Attribution of conduct: Articles 4-11 7
1.3 De facto organ or control over conduct: Article 4 and Article 8 9 1.4 Different degrees of control and their effect on attribution 11
Chapter 2: Attribution in cyberspace 14
2.1 The application of the ILC framework to cyberspace 14 2.2 The relationship of technical attribution and legal attribution 17 2.3 Technical attribution to a person or to a machine 19 2.4 The standard of evidence available in cyberspace 20
Chapter 3: The avenue of due diligence 23
3.1 Due diligence: an obligation to prevent? 23
3.2 The application of the Corfu Channel-case to cyberspace 24
3.3 A reversed burden of proof 27
Conclusion 30
Introduction
At the time of writing this thesis, there is an ongoing discussion within the governments of several member states of the European Union about the different meanings the word ‘attribution’ can have.1 When asked about the meaning of attribution, international legal
scholars discuss the process of attribution of conduct to a State within the framework of international responsibility. For cyber-experts, attribution entails the process of identifying the origin of a cyber activity.2 This apparent linguistic confusion led to the writer’s interest to
research the application to cyberspace of the international legal framework regarding responsibility for conduct by a State, contained in the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA).
The main research question seeks to address the particularities of cyberspace with regard to the framework of establishing responsibility for conduct by a State, as set out in the ILC Articles. In recent practice, it has become clear that States delegate certain operations in cyberspace to private individuals and entities. Due to the often anonymous nature of actors in cyberspace, and the multi-stage approach they take in their conduct, attribution of conduct to first of all a specific person and secondly to a State is an intricate, technical and legal process. It will firstly need to be established what the current framework of establishing responsibility for conduct by a State entails. This constitutes the first sub-question and will be dealt with in the first chapter. The second chapter deals with the next question, namely how the rules regarding attribution of conduct currently are applied within the context of cyberspace.
The final subquestion, which is contained in chapter three, seeks to assess whether the obligation of due diligence could be a way to avoid the problems with attribution of conduct, and at the same time invoke the responsibility of an involved State.
Taking all the above into account, a conclusion will be drawn regarding the applicability of the framework of establishing responsibility for conduct by a State and the potential role of the obligation of due diligence in establishing responsibility.
In terms of method, the thesis will look at lex lata regarding state responsibility and attribution of conduct. This lex lata regards the rules as laid down in the ILC Articles. Even
1 https://www.iss.europa.eu/sites/default/files/EUISSFiles/Brief%2024%20Cyber%20sanctions.pdf; http://www.epc.eu/documents/uploads/pub_9081_responding_cyberattacks.pdf?doc_id=2120. 2 Clark, Landau, Untangling Attribution, p. 25.
though these do not constitute a source of international law in the positivist sense of art. 38 of the Statute of the ICJ, there exists widespread acceptance that the majority of these articles constitute customary international law.3 The next issue that will be addressed is the practical
application of attribution in cyberspace: by using examples of technical difficulties with tracing activities in cyberspace to their source, the main problem of attribution in cyberspace will be illustrated. Simultaneously, judgments of courts and tribunals will be assessed for relevant doctrine regarding the level of control by a State over certain conduct. Finally, academic debate, stemming from scholarly articles, will be taken into account to sketch the context of the matter. When taking all of this into account, an attempt will be made in the conclusion to answer the main research question.
Chapter 1: The law of State Responsibility
To begin our research into the particularities of the law of State responsibility in cyberspace, we must look into the general framework first. This general framework consists of the ILC Articles that have been adopted by the UN General Assembly in 2001, and the body of case law that has contributed to the development of this field of the law throughout the years. We will first look shortly at how they came into existence, to show that this field of law is developing and has been developed over many decades.
1.1 The ILC Articles
In 1927, the Permanent Court of International Justice (PCIJ) formulated a principle as follows in its Factory at Chorzow judgment: “It is a principle of international law that the breach of an engagement involves an obligation to make reparation in an adequate form.”4 Later, in the
Phosphates in Morocco case, the PCIJ affirmed that when a State commits an internationally wrongful act against another State international responsibility is established “immediately as between the two States.”5 The existence of this principle was also recognized by the scholarly
3 Talmon, S. “The Responsibility Of Outside Powers For Acts Of Secessionist Entities.” International
Comparative Law Quarterly, vol. 58, 2009, p. 495; Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro), Judgment, 2007, ICJ
Reports 43, paras 385, 398, 401, 407; Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v Uganda) (Judgment) [19 Dec 2005] ICJ Rep, para 160.
4 Factory at Chorzów, Jurisdiction, Judgment No. 8, 1927, P.C.I.J., Series A, No. 9, p. 21.
5 International Law Commission, ‘Draft Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries’ (2001) A/56/10, p. 7; Phosphates in Morocco, Judgment, 1938, P.C.I.J., Series A/B, No. 74, p. 10, at p. 28.
community, and propagated specifically by the Italian scholar and judge on the PCIJ Anzilotti, who stated that “the existence of an international legal order postulates that the subjects on which duties are imposed should equally be responsible in the case of a failure to perform those duties.”6 The law of international responsibility stretches further than merely
the application to States, however for the purpose of this thesis the focus will be on State responsibility.
In 2001, the Articles on the Responsibility of States for Internationally Wrongful Acts (ARSIWA) were adopted by the General Assembly of the United Nations.7 The International
Law Commission (ILC) had gathered relevant case law and scholarly debate, and distilled all this into these articles “by way of codification and progressive development.”8 According to
the ILC, the Articles constitute secondary law, in the sense that they formulate the general conditions under which States are responsible for their conduct or omission.9 They do not
attempt to define the primary breach from which this responsibility flows. Many of the articles from the ARSIWA are being regarded as reflecting customary international law, and are being cited by the ICJ in that manner.10 Thus together with the notion that these articles
are intended to stipulate rules of a secondary nature and not primary ones, this indicates their legal status.
The result of this process is found in Article 1, which contains the general principle of international responsibility: “Every internationally wrongful act of a State entails the international responsibility of that State.”11 According to the ILC, “the term ‘international
responsibility’ covers the new legal relations which arise under international law by reason of the internationally wrongful act of a State.”12 The exact content of this new relationship
depends on several factors which can be found later in the articles as well. However, for the purpose of this thesis, the focus will be on the establishment of this new relationship of responsibility. More specifically, we will look into one aspect that is essential for the establishment responsibility, namely the aspect of attribution of conduct to a State.
After stipulating the general rule, the ARSIWA identify two elements that need to fulfilled in order to give rise to state responsibility. These can be found in Article 2, and entail the conditions that the conduct or omission of a State is attributable to that State, and constitutes a
6 D. Anzilotti, Cours de droit international, (trans Gidel, 1929) (Paris, Panthéon-Assas/LGDJ, 1999), p. 467. 7 United Nations General Assembly Resolution 56/83, A/Res/56/83, 2001.
8 ILC Articles and Commentary, p. 31. 9 Commentary n2, p. 1.
10 Supra n3.
11 Article 1 ARSIWA. 12 Commentary n2, p. 7.
breach of an international obligation of that State.13 For the purpose of this thesis, the focus
will firstly be on attribution. The element of what determines a breach will be dealt with in connection to the obligation of due diligence in the final chapter.
One important element that is not mentioned here, is that of damage. The ILC has stated that this element only plays a role in the new legal relationship after responsibility has been established, therefore not being a prerequisite for the establishment of international responsibility.14
1.2 Attribution of conduct: Articles 4-11
“States can act only by and through their agents and representatives.”15 This statement of the
PCIJ is the starting point of Chapter II of the ARSIWA, and the basic rule attributing to a State the conduct of its organs.16 It is clear that States cannot act themselves, but will always
act through an intermediary: through either an entity or an individual or a group of individuals. To establish whether conduct of such an intermediary should be regarded as conduct of a State, one has to look at attribution. Attribution is a legal mechanism for handling the collectivity of subjects of international law. It sets out the conditions that have to be satisfied in order to determine that a state or another subject of international law has performed a particular act.17
There exists an important difference between attribution of responsibility and attribution of conduct.18 Responsibility does not always need to be based upon attribution of conduct.19 For
example, there exists the possibility of responsibility of a State in connection with the act of another State.20 In such an instance, the conduct in question is not attributed to the State but
the responsibility for that conduct is. These matters are being dealt with in the ILC Articles in Chapter VI, but in this thesis we will not go into that matter. This thesis focuses not on State responsibility in connection with the conduct of another State, but on State responsibility in
13 Article 2 ARSIWA.
14 Crawford J, ‘Introduction – Responsibility and International Law’ in James Crawford, Alain Pellet and Simon Olleson (eds), The Law of International Responsibility (OUP 2010), p. 9.
15 German Settlers in Poland, Advisory Opinion, 1923, p.c.i.j., Series B, No.6, p. 22. 16 Commentary, p. 29.
17 Fry J, ‘Attribution of Responsibility’ in André Nollkaemper and Ilias Plakokefalos (eds), Principles of Shared Responsibility in International Law (CUP 2014), p. 3; L. Conforelli and C. Kress, ‘The Rules of Attribution: General Considerations’, in J. Crawford, A. Pellet and S. Olleson (eds.), The Law of International Responsibility (Oxford: OUP, 2010), p. 221.
18 Fry, p.1.
19 Fry, p.2; G. Gaja, ‘Second Report on the Responsibility of International Organizations’, UN DOC. A/CN.4/541 (2004), para. 11.
connection with a State’s own conduct or that of an individual or entity which can be attributed to it. For the purpose of this paragraph we look at the framework for attributing certain conduct of an entity or an individual or a group of individuals to a State.
When is certain conduct or an omission attributable to a State? As stated before, the basic rule entails that a State is responsible for the conduct of its organs. This is laid down in Article 4, with the second paragraph stipulating when a person or entity constitutes an organ of a State: the internal law of that State awards that status to a person or an entity.21 This category, which
can be found in Article 4, entails the so-called de jure organs: organs with a status that stems from domestic law.22 In this respect, the conduct of an organ that is placed at the disposal of a
State by another State, is considered an act of the former State as well.23
Since the status of a State organ depends on the internal law of that State, the possibility arises for States to attempt to avoid responsibility through adaptions of its domestic law. To circumvent such a gap in international law, there exist two ways in which conduct can be attributed to a State even though its internal law does not award organ-status to the actor of that conduct. First of all, a group or entity can be regarded as a de facto organ of a State.24
When this is the case, a group or entity can be equated in its entirety to a State organ, meaning that all of its conduct is attributable to the State.25 Later on in this thesis we will discuss
further what is required in order for a group or entity to be regarded as a de facto organ. Secondly, the nature of the conduct can be a reason to attribute such conduct to a State: when a person or entity exercises elements of governmental authority that conduct is attributable to the State in that instance,26 even when such conduct is in excess of authority or contravenes
instructions.27 This type of conduct will not be discussed further in this thesis. Even though
this aspect of the law of State responsibility raises its own questions, these are not particular for the realm of cyberspace.
Additionally, in cases of conduct where a clear link exists between a State and an individual or entity through instructions, direction or control, this too amounts to an act of that State.28
The elements of instructions, direction and control will be elaborated on further below.
21 Article 4.2 ARSIWA.
22 Kittichaisaree, K. “Public International Law of Cyberspace.” Springer (2017), p. 37. 23 Article 6 ARSIWA.
24 Talmon, p. 498.
25 Idem; Bosnian Genocide par. 391, 397; Nicaragua par. 109; Armed Activities, par. 160; ILC Articles and Commentary, p. 42.
26 Article 5 ARSIWA. 27 Article 7 ARSIWA. 28 Article 8 ARSIWA.
Article 9 and 10 concern situations where no effective government exists, with conduct either amounting to elements of governmental authority or conduct by a movement that later becomes the new government of a State. Article 11 sees to the scenario where a State adopts certain conduct as its own that previously was not considered as such.
In the next paragraph, we will delve deeper into the specifics of Article 4 and 8. Since these articles look at the determination whether control over an entity in general or its specific conduct is sufficient to attribute it to a State, these will be most relevant for the type of attribution we will be dealing with in Chapter 2. It will be argued that issues with attribution in cyberspace become most intricate when actors attempt to specifically hide their connection to a State, or disguise their identity in general. It is the conviction of this author that these difficulties show most prominently in cases of attribution with regard to Article 4 and Article 8. Therefore in the next paragraph, more specifically, we will look at the level of control by a State which is required over either an entire entity or over specific conduct for it to be attributable to a State.
1.3 De facto organ or control over conduct: Article 4 and Article 8
This paragraph looks deeper at the nexus between certain conduct and a State that is created through a level of control by the State over that conduct or the actor of certain conduct.
Paragraph 2 of Article 4 mentions that an organ ‘includes’ any person or entity which has that status in accordance with the internal law of the State.29 According to the Commentary, this
has been phrased in this manner so as to not give States the opportunity to exclude conduct by organs from its responsibility simply by referring to its internal law.30 Therefore, we have
mentioned in the paragraph above the existence of de facto organs: organs which do not have the status of an organ under internal law, but do in practice.31 To determine whether an entity
amounts to such an organ, we need to look at its relationship with the State.32 This relationship
should amount to “one of dependence on the one side and control on the other.”33 The Court
envisaged a relationship of complete dependence and control by the State over an individual or a group, and it stressed that such control should cover all fields of the entity’s activities.34
29 Article 4.2 ARSIWA.
30 ILC Articles and Commentary, p. 42. 31 Talmon, p. 498.
32 Idem.
33 Idem; Bosnian Genocide par. 391, 397; Nicaragua par. 109; Armed Activities, par. 160. 34 Nicaragua, p. 109.
Only then would the threshold of a de facto organ be met. How the Court determines whether such a relationship exists, will be discussed in the next paragraph.
Article 8 concerns the instance where a person or group of persons is not considered an organ under the internal law of the State, and is also not a de facto organ. However, the article stipulates that certain conduct by that group can be attributed to a State when there exists proof of a level of control by the State with regard to that specific conduct. According to the article, this control can take the form of instructions, direction or control. Important to stress here is that this article only enables the attribution of the specific conduct that the State controls, unlike attribution based on Article 4 where all conduct of an organ is attributable to the State.35
According to the Commentaries, instructions should be regarded as the State authorizing certain conduct, regardless whether such conduct amounts to the exercise of governmental authority.36 What is required, is that such conduct amounts to an internationally wrongful act
in case it would have been perpetrated by the State.37 As one scholar puts it, instructions
create an ad-hoc relationship between the actor and the State.38 Additionally, these
instructions need to be given with regard to every instance of conduct in which a violation takes place, and cannot be of a general nature covering several operations.39 When
instructions are not followed, and in that conduct an internationally wrongful act is perpetrated, a State is only responsible in case the individual or group of individuals is under effective control of that State.40
Direction or control is often viewed as constituting the same relationship, and has to exceed the threshold of an “incidental or peripheral association.”41 The basis for the text in the
ARSIWA regarding control lies in the Nicaragua judgment of the ICJ.42
When looking only at specific conduct that a State can be held responsible for, the Court uses the requirement of effective control by a State over certain conduct.43 A general situation of
dependence and support will be insufficient to justify attribution of the conduct to the State.44
35 ILC Articles and Commentary, par. 4 on art. 8. 36 ILC Articles and Commentary, par. 2 on art. 8. 37 Ref. Article 2.b ARSIWA.
38 Tsagourias, N. (2012). Cyberattacks, Self-Defence and The Problem of Attribution. Journal of Conflict and
Security Law, vol. 17 (2012), p. 237.
39 Kittichaisaree, p. 38.
40 ILC Articles and Commentary, par 8 on art. 8. 41 ILC Articles and Commentary, par. 3 on art. 8.
42 ILC Articles and Commentary, par. 4 on art. 8; Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America), Merits, Judgment, I.C.J. Reports 1986, p. 51, para. 86.
43 Ibid., pp. 62 and 64–65, paras. 109 and 115. 44 ILC Articles and Commentary, par. 4 on art. 8.
The above shows that it merits to further explore the level of control that is required in order for certain conduct to be attributable to a State. Several courts and tribunals, both international and domestic, have interpreted the requirement of control. In the next paragraph, several of these interpretations will be examined to further assess the intricacies that come into play when attributing conduct to a State.
1.4 Different degrees of control and their effect on attribution
As stated in the previous paragraph, the level of control that is required to attribute certain conduct to a State is subject of interpretation. Several national and international courts and tribunals have in cases with different factual circumstances weighed in on the debate. Depending on the type of attribution, different tests apply.45 Article 4 of the ARSIWA
foresees in the situation of a de facto organ, which requires complete dependence on a State.46
For this type of relationship, the ICJ has formulated the strict control test in its Nicaragua judgment, consisting of the following elements: complete dependence by the entity on the outside power, extending to all fields of activity, of which the outside power has actually made use.47 As Talmon explains, “complete dependence means that the entity is ‘lacking any
real autonomy’ and is ‘merely an instrument’ or ‘agent’ of the outside power through which the latter is acting.”48
When this strict control test is not passed, the ICJ may move on to another test it developed to see whether a State has exercised effective control over merely specific conduct: to see whether there exists partial dependency.49 This regards the type of attribution which is
relevant for Article 8 ARSIWA, and is determined by the use of the effective control test.50 As
mentioned above, a general situation of dependence and support will be insufficient to justify attribution of the conduct to the State.51 Control must manifest itself in all phases of conduct,
including planning, instructing and executing.52 Also, as mentioned above with instructions as
well, control must be effective with regard to every instance of conduct constituting a violation and cannot be merely general with regard to several operations.53
45 Talmon, p. 498. 46 Idem.
47 Talmon, p. 498.
48 Talmon, p. 499; Nicaragua par. 109-110; Bosnian Genocide, par. 392, 393. 49 Talmon, p. 502.
50 Kittichaisaree, p. 38.
51 ILC Articles and Commentary, par. 4 on art. 8. 52 Talmon, p. 503; Nicaragua, par. 112.
The International Criminal Tribunal for the former Yugoslavia touched upon the subject of control over conduct in the appeal in the Tadic case. Here it introduced an alternative to the effective control-doctrine that was brought into existence by the ICJ in its Nicaragua judgment. The Tribunal introduced a differentiated view with regard to control over either individuals or unorganized groups or organized groups.54 It stipulated that for organized
groups, overall control over that group by a State would suffice for the State to be responsible for its conduct.55 Further in this reasoning, the Tribunal states that when a State is involved in
equipping the group and is aiding the group with planning or its military activities, there is no need for the State to be explicitly involved in the specific conduct that violates international law.56
In its Loizidou judgment, the European Court of Human Rights established its own effective overall control test, to determine whether Turkey had effective control over a geographic area and was therefore responsible for the protection of individual rights of the inhabitants of that area.57 Because it had to apply a test of control by a State not over a group of individuals but
over a geographic area, the Court saw itself forced to formulate a new threshold.
Also in the realm of the Bosnian genocide is the Nuhanovic case of the Dutch Supreme Court. The Dutch Court looked at effective control and “specific instruction”. This entails not only theoretical control, but factual control over the events.58 In absence of instructions, the Court
looks at who would have the power and the legal ability to prevent the specific conduct.59
Taking these elements together, the Dutch Supreme Court stipulated that effective control is exercised by the entity that can act effectively and within the law to prevent certain acts. These acts that have to be prevented concern, as mentioned, the commission of genocide. However, in the Bosnia Genocide case, the ICJ made it clear it does not agree with the overall control test, and reaffirmed the effective control test stemming from its Nicaragua judgment.60
As some scholars put it, the ICJ “authoritatively settled the debate.”61 Yet when taking all
54 Tsagourias, p. 238.
55 Prosecutor v Tadic´ (Appeal), International Criminal Tribunal for former Yugoslavia, ICTY-94-1-A (15 July 1999), par. 131.
56 Idem.
57 Ortega, E. “The Attribution of International Responsibility to A State for Conduct of Private Individuals Within the Territory of Another State.” INDRET (2015), p. 29; Loizidou v Turkey (Merits) Judgment, Application nº 15318/89 (18 December 1996).
58 Nuhanovic (The State of the Netherlands v. Hasan Nuhanovic), Supreme Court of the Netherlands, Judgment, 6 September 2013, 12/03324, par. 5.9-5.18.
59 Nuhanovic, par. 5.9.
60 Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro), Judgment, 2007, ICJ Reports 43, paras 403–406.
61 Messineo F, ‘Attribution of Conduct’ in André Nollkaemper and Ilias Plakokefalos (eds), Principles of Shared Responsibility in International Law (CUP 2014), p. 6.
these interpretations, and especially the authoritative statement by the ICJ, into account, one has to recognize there exists some unease with judges with regard to the proper threshold of control in different circumstances. It therefore merits assessment to see how this doctrine regarding attribution is applied to cyberspace.
Chapter 2: Attribution in cyberspace
In the general outline of the law of state responsibility in the chapter above, it becomes clear that attribution of conduct to a State comes with multiple difficulties. These difficulties do not disappear when entering the realm of cyberspace. What is different, however, is the nexus between the actor and the conduct. The challenges posed by the ability of actors in cyberspace to hide their identity are numerous, and both technical and legal in nature.62 Yet, attribution
remains predominantly a question of law, and therefore requires a legal approach.63 In order to
delve deeper into the matter of attribution, and specifically in the cyber realm, this second chapter deals with the more technical specifics of attribution in cyberspace and their connection to the legal process of attribution.
2.1 The application of the ILC framework to cyberspace
As mentioned before, the general applicability of the law of State responsibility to cyberspace is not disputed.64 How it is actually applied, though, differs from case to case depending on
the type of obligation that is breached. To illustrate what types of obligations and breaches thereof come into play, we quote a part of the first Tallinn Manual regarding this specific issue:
“In the realm of cyberspace, an internationally wrongful act can consist, inter alia, of a violation of the United Nations Charter (e.g. a use of force committed through cyber means) or a violation of a law of armed conflict obligations (e.g., a cyber attack against civilian objects) attributable to the State in question. A breach of peacetime rules not involving conflict (e.g. a violation of the law of the sea or non-intervention principle) also constitutes an internationally wrongful act. As an example, a warship of one State is prohibited from conducting cyber operations that are adverse to the coastal nation’s interests while in innocent passage.”65
62 Antonopolous, C, ‘State responsibility in cyberspace’, in: Buchan R, Tsagourias N., Research Handbook on International Law and Cyberspace. Cheltenham, Edward Elgar Publishing, 2015, p. 63; Koh, p. 247.
63 Antonopoulos, p. 63; Commentary, p. 38-39.
64 Supra n3: The ILC Articles constitute customary international law, which applies to all fields of international law.
In the first chapter we addressed what factors are relevant in traditional cases where States attempt to incur another State’s responsibility. What we have seen is that the combination of the text of the ILC Articles and the corresponding case law of the ICJ creates a restrictive framework for the attribution of conduct to a State. In the Tallinn Manual, the International Group of Experts “imports this restrictive language” to the realm of cyberspace.66 It is,
however, very much the question whether this framework can be applied to this new area of society one on one. As one writer points out:
“Attributing legal responsibility for cyber attacks to states is made more difficult because it is preceded by a challenging technical step: discerning the actual source of the attacks. In conventional international armed conflicts involving kinetic attacks, this is not a problem. State forces typically distinguish their weapons and personnel with clear markings that identify their provenance.”67
As we will see in the paragraphs below, identifying the source of conduct is not the only issue that complicates the matter of attribution in cyberspace. But for the moment, let’s have a look at a cyber attack that targeted Estonia in 2007.
During a period of several weeks, websites of several public and private institutions in Estonia were down as a result of a cyber attack.68 The attack, was later revealed, consisted of a botnet
of around 85.000 computers that were infected by malware in approximately 178 countries.69
Estonia’s Computer Emergency Response Team was able to trace back the attack to a Russian nationalist group, but a connection between the Russian Federation as a State and the nationalist group was not made.70 Later evidence that was based on a confession, however,
showed that officers working for the Kremlin were directly involved in the attack.71 Since the
attack was thus executed by Russian government personnel, one could argue that the conduct is attributable to Russia on the basis of Article 4 ARSIWA. The nexus of conduct in cyberspace by an individual or a group and the State is in this case proven through the testimony of the perpetrator, who happens to work for the Russian government and is
66 Margulies, P. “Sovereignty and Cyber Attacks: Technology’s Challenge to the Law of State Responsibility.”
Melbourne Journal of International Law, vol. 14 (2013), p. 507.
67 Margulies, Sovereignty and Cyber Attacks, p. 502-503. 68 Margulies, Sovereignty and Cyber Attacks, p. 501-502.
69 Tsagourias, N. (2012). Cyberattacks, Self-Defence and The Problem of Attribution. Journal of Conflict and
Security Law, vol. 17 (2012), p. 233.
70 Li, S. “When Does Internet Denial Trigger the Right of Armed Self-Defense?” Yale Journal of International
Law, vol. 38, no. 179 (2013), p. 180.
therefore a de jure organ. The conduct of Russia in this case would amount to a breach of the obligation of non-intervention, entailing Russia’s international responsibility.
Another example would be the attack on Georgia in 2008. Here, similarly as in the case described above, numerous public and private institutions were targeted with a cyber attack causing their websites to shut down or be unavailable.72 The attacks could be traced back to
Russian territory, and even to State-owned infrastructure.73 However, due to the possibility of
unauthorized control over that infrastructure by a third party, this does not immediately mean that the State is responsible.74 Due to the lack of concrete evidence showing which individual
pushed the button and who is responsible for that individual (possibly a State or simply the individual itself), attribution of conduct is impossible. For the sake of analysis, let’s assume the group behind this attack is not a de jure organ but does have other ties to the government. They receive training and funding, with which they have bought their equipment and without which they could not have operated, for specific activities like those perpetrated in Georgia. According to the ICJ’s doctrine in the Nicaragua and Bosnia Genocide cases, the group could theoretically be qualified as either a de facto organ, for which the strict control test applies. However, it is clear that there exists no relationship that amounts to “complete dependence by the entity on the outside power, extending to all fields of activity, of which the outside power has actually made use.”75 The next step, then, is to see whether there exists effective control
over specific conduct. As we have seen in the first chapter, such control must manifest itself in all phases of conduct, including planning, instructing and executing.76 This could be, for
example, satisfied in case a government official was posted in the group and had a leading role in all of these phases. Yet that is not the fictitious case, which makes the State not responsible for the conduct of the group. But, the State is still responsible for its own conduct. According to the ICJ, provision of support can lead to a breach of the principle of non-intervention.77 This breach of an international obligation naturally entails the responsibility of
that State.
Generally, for a target State to collect evidence to prove a relationship of control, is already incredibly difficult in traditional cases, let alone in cyberspace. In the case of the attack in Estonia, such evidence is provided by a testimony. Without such a testimony, or any other
72 Tikk E., Kaska K., and Vihul L. “International Cyber Incidents: Legal Considerations.” Cooperative Cyber Defence Centre of Excellence (2010), p. 72.
73 Tikk, Kaska, Vihul, p. 75. 74 Idem.
75 Talmon, p. 498.
76 Talmon, p. 503; Nicaragua, par. 112. 77 Nicaragua par. 242; Tallinn Manual p. 38.
evidence stemming from within the organization itself, successful attribution is highly unlikely. The case of the attack in Georgia shows that such a lack of evidence halts the process, whereas theoretically the framework for attribution is applicable. The next paragraphs will look further into the matter of evidence in cyberspace.
2.2 The relationship of technical attribution and legal attribution
Attribution with regard to State responsibility in cyberspace has multiple aspects: legal, technical, and political.78 Attribution in the legal context entails ascribing particular acts by
individuals to States.79 In order to successfully do this, one needs to prove a significant nexus
between certain conduct and a State.80 This is first of all done through a technical process of
identifying the computer from which the conduct stems.81 Secondly, for the legal framework
of international responsibility to be effective, there needs to exist a sufficient link between the individual actor and the State.82 Finally, a political decision is required to activate the legal
process of invoking another State’s responsibility.83
What is remarkable about attribution in cyberspace, then, is that there exists the possibility for individuals to ensure a high level of anonymity when undertaking certain acts.84 Therefore, in
order for attribution of acts to a State to take place, one has to establish attribution on a technical level first to identify the source of conduct.
That technical attribution entails the tracing back of an activity to a computer or a server.85
This happens by identifying its IP-address, or Internet Protocol address, the location of a computer within a network, and is called machine-level attribution.86 However, this IP-address
is linked not to a unique computer, but to the router of a network.87 Routers are specialized
computers that determine the route data must take, in order to arrive at the proper IP-address.88 For example, in a household with multiple computers connected to the Internet
through the same router, they will have the same IP-address. So tracing back conduct to a certain IP-address does not give absolute certainty which computer the conduct stems from.
78 Tsagourias, Cyber Attacks, p. 233. 79 Antonopoulos, p. 62.
80 ARSIWA arts. 4-11.
81 Clark, D., Landau, S. “Untangling Attribution.” Harvard National Security Journal, vol. 2 (2011), p. 25. 82 Article 2 ARSIWA.
83 Tsagourias, Cyber Attacks, p. 234. 84 Antonopoulos, p. 62.
85 Clark, Landau, Untangling Attribution, p. 39. 86 Ibid, p. 37.
87 Ibid, p. 27. 88 Idem.
Additionally, there are ways in which an actor can hide their IP, route their connection through different servers, or ‘spoof’ their IP which makes it seem in a different location than it actually is.89 This makes linking the computer to a specific person even more difficult
outside a State’s jurisdiction, due to the limited possibilities to conduct research.90 The ICJ
recognized that collecting evidence outside a State’s jurisdiction gives rise to difficulties, and allowed State a more liberal recourse to evidence.91 This will be further discussed below.
The practice of hiding one’s own IP-address is only useful in the specific case of a DDoS-attack.92 This is because of the specifics of this type of attack, where no information is
required back to the malicious actor. The goal of such an attack is to merely bombard a server with information or access requests resulting in its malfunction, and therefore no valid source address is needed.93 Any other type of malicious conduct where an exchange of information is
desired, such as espionage, requires a valid source address for the data to be transferred to.94
In many instances, actors will use a multi-stage approach in their conduct.95 Actors perpetrate
another computer, through which other computers will be infected until enough capacity is available for the malicious act.96 It becomes an intricate challenge to trace the conduct back to
the computer that belongs to the malicious actor.97 Especially when these computers are
located in different jurisdictions, it becomes more complicated to conduct an investigation.98
Yet, even here, almost all links in the chain will have a valid source address.99 It will be a
matter of quick reactions, since conduct in cyberspace can materialize and disappear rather quickly.100
An additional hurdle comes with the next step: in order to effectively attribute conduct to a State, one has to prove the existence of a nexus between the conduct and the State. In other
89 Chircop, L. “A Due Diligence Standard Of Attribution In Cyberspace.” International and Comparative Law
Quarterly,vol. 67, no. 3 (2018), p. 646; Macak, K. “Decoding Article 8 of the International Law Commission’s
Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors.” Journal of Conflict &
Security Law, vol. 21, no. 3 (2016), p. 405, 407-408; Antonopoulos, p. 55, 62; Tsagourias, Cyber Attacks, p.
229, 233.
90 Clark, Landau, Untangling Attribution, p. 37. 91 Tsagourias, p. 234; Corfu Channel p. 18.
92 Clark, Landau, Untangling Attribution, p. 39; DDoS is short for Distributed Denial of Service, and entails the practice of overloading a server’s capacity by constantly requesting information. See also:
https://www.cloudflare.com/learning/ddos/what-is-a-ddos-attack/. 93 Margulies, Sovereignty and Cyber Attacks, p. 501.
94 Clark, Landau, Untangling Attribution, p. 39. 95 Ibid, p. 31.
96 Idem. 97 Ibid, p. 39.
98 Tsagourias, Cyber Attacks, p. 233. 99 Idem.
words, the person operating the computer needs to be found.101 Once this person is identified,
the traditional steps of attribution can be taken to see whether their conduct is attributable to a State.
2.3 Technical attribution from a machine to a person
For State responsibility to come into play, a nexus is required between certain conduct and a State. In cyberspace, what needs to be identified first is the connection between a computer and a person.102 As we have shown above, identification of a computer happens through its
IP-address. Thus it appears that an internationally wrongful act is first of all ascribed to a computer, without the knowledge which person operates that computer.103 Such knowledge
should then be obtained through other information sources, either open source or intelligence information.104 The link between the computer and a person brings the matter of attribution
from the technical perspective to the legal matter.
Once the person has been identified, the traditional framework of attribution as found in the ILC Articles can be applied in order to determine whether the conduct is attributable to a State. In absence of the information identifying the person operating the computer, some scholars argue that when a computer falls under the exclusive jurisdiction of a State, this suffices to attribute the conduct to that State.105 However, with the description above
regarding the possibilities of a multi-stage approach and spoofing one’s IP-address, it remains an unstable ground for attribution. The IGE that composed the Tallinn Manual, recognized this shortcoming as well: it adopts a cautious approach with regard to conduct that stems from government cyberinfrastructure.106 According to the Manual, this is merely an indication of
possible State association with the conduct.107 As we have seen above in the case study
regarding the attack on Georgia in 2008, infrastructure can be hijacked by a malicious actor through malware.108 This technical novity (in respect to traditional cases) makes it impossible
to attribute conduct to a State simply on the basis that this conduct stems from governmental infrastructure. In the next chapter we will look at other ways of attributing responsibility to a State for instances of conduct stemming from its territory.
101 Chircop, p. 646.
102 Tsagourias, cyberattacks, p. 233; Clark, Landau, Untangling Attribution, p. 37. 103 Antonopoulos, p. 62.
104 Idem. 105 Idem.
106 Antonopoulos, p. 63; TM 01 39-40. 107 Idem.
That leaves us with an impossible task then, as it seems. When actors can successfully hide their identity, or at least leave a plausible deniability, the route to attribution is cut off. Because without sustaining evidence, there is no solid case. In the next paragraph we will look further at the evidentiary requirements in cyberspace, and the different views that have been expressed by scholars.
2.4 The standard of evidence available in cyberspace
What is clear, is that there is no alternative framework for attribution. There is one set of ILC Articles regarding State responsibility for the entire body of international law. However, the foregoing shows that due to technical capabilities certain actors have to disguise their identity in cyberspace, they find themselves in a realm of impunity. The critique on the Tallinn Manual in this regard is that it does not seem to give a solution for the issues regarding attribution, but leaves the matter “surrounded in ambiguity.”109 The Tallinn Manual 2.0
prescribes that States that are under attack must make a decision to respond or not, as the attack is occurring.110 The decision by the injured State becomes subject of scrutiny after the
entire situation has passed, opening up the possibility for claims in case the target State has made a wrong judgment.111 The IGE makes an appeal to the State in this case to act
“reasonably”, as other States might act in similar circumstances.112 Due to the lack of a clear
standard for cyberspace, it is argued, it is left up to the injured State to decide on a path that is most fruitful, and thereby creating a free-for-all of the sorts.113
When a State attempts to attribute an act to another State, that becomes a matter of evidence, and the territorial location of the suspected computers serves as a starting point.114 The
difficulties with identifying the person behind the conduct in cyberspace, trigger some scholars to argue for an evidentiary standard that suits the specific nature of cyberspace.115
With examples from the Corfu Channel case, and the Bosnian Genocide case, where the Court did not demand the production of classified documents, it is argued that the probity of evidence by the ICJ is “rather lax.”116 Knowing this, and combining it with the particularities
of conduct in cyberspace, a “very liberal approach to evidence” should be introduced in cases
109 Antonopoulos, p. 63. 110 Kittichaisaree, p. 42; TM 2.0 Chapter 4. 111 Idem. 112 Idem. 113 Antonopoulos, p. 63. 114 Antonopoulos, p. 63; TM 01 p. 25-26. 115 Antonopoulos, p. 64; Tsagourias, p. 233-235. 116 Tsagourias, p. 235.
regarding conduct in cyberspace.117 According to the Dutch government, no internationally
accepted legal standard for proof regarding attribution of conduct in cyberspace exists:
“There is no internationally accepted legal standard in this respect. It will depend on the particular forum in which attribution takes place. The standard of proof required may differ depending on whether a claim is presented before a particular international court or tribunal, or whether it is part of diplomatic negotiations or consultations. (…) It would seem that the particular degree of proof required is closely connected to the severity of the cyber operation and of the response to such cyber operation: the more severe, the higher the standard. In some cases one may need to have absolute or near absolute certainty. For example, in the Bosnia Genocide the ICJ took the view that the Court had to be fully convinced that allegations of genocide and other acts had been clearly established. This concerned genocide. It makes perfect sense that a high degree of certainty, employed in different cases, would not have been sufficient.”118
One author proposes the following ladder, going from least invasive to highest possible certainty:
Reasonable suspicion ; Probable cause ; Substantial evidence;
Preponderance of the evidence; Clear and convincing evidence; Beyond reasonable doubt.119
The question then raises, however, how desirable it is to use a lower evidentiary standard for cyberspace in order to facilitate attribution. Opponents to this idea argue that standards of proof exist not to serve as a hurdle for an injured State, but to shield States from false attribution.120 Following this line of reasoning, there would be no reason to lower the standard
117 Antonopoulos, p. 64; Tsagourias, p. 233-235.
118 Theeuwen, W. (2018) “Attribution for the purposes of State responsibility.” Dutch Ministry of Defence, accessible at: https://puc.overheid.nl/mrt/doc/PUC_248325_11/1.
119 Lin, H. “Attribution of Malicious Cyber Incidents: From Soup to Nuts.” Journal of International Affairs, vol. 70, no. 1 (2016), p. 105.
of proof “simply because it is more difficult to reach.”121 However, it is clear from the above
that there does not exist a singular golden threshold which has to be met by States in order for attribution to be successful. One can therefore not speak of lowering such a threshold if there does not exist one in the first place. It merits therefore, in line with the position of the Dutch government, to assess on a case-by-case basis what is required as an evidentiary base to support the responding actions. As said before, in certain cases of a cyber attack the decision whether or not to respond has to be made on short notice. In other cases, where responsibility can be attributed in the stages after the attack has passed, an injured State can afford to take a more cautious approach.
Evidence for attribution will seldom be enough prove a link with a person beyond any doubt.122 Efforts should therefore also focus on other types of deterrence, increasing security,
and developing an international standard for behaviour in cyberspace.123 In the next chapter,
we will assess whether a different type of invoking a State’s responsibility in cyberspace is easier to achieve, namely through the obligation of due diligence.
121 Chircop, p. 649; Roscini, p. 251.
122 Clark, Landau, Untangling Attribution, p. 39. 123 Ibid, p. 40.
Chapter 3: The avenue of due diligence
Since attribution of specific conduct to a State comes with considerable technical difficulties in the cyber realm, an alternative route to establish responsibility is proposed.124 Not by means
of attributing certain conduct directly to a State, but by attributing responsibility for an omission to act. When States breach their obligation of due diligence in cyberspace, they can be held responsible for that breach.125 What this principle entails and how it exactly is applied
to cyberspace can be found in the paragraphs beneath.
3.1 Due diligence: an obligation to prevent?
The principle of due diligence has been formulated by the ICJ in its Corfu Channel judgment. There, it stipulated that this principle entails “every State's obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States.”126 The Court
characterized this principle as a general and well-recognized one.127 Because of this award by
the Court, the applicability of the principle of due diligence in general to the cyber domain is accepted widely.128 It is therefore clear that there exists an international obligation for States
to prevent the use of its territory for acts contrary to the rights of other States, whether this act takes place in cyberspace or outside that realm. What is also clear, is that the obligation of due diligence stems from an obligation to prevent injurious conduct stemming from a State’s territory.129 But how far does this obligation to prevent go, and what exactly does a State have
to prevent?
In the Bosnian Genocide case, the ICJ delved deeper into the notion of due diligence within the framework of the prevention of genocide.130 There, the Court made clear that it was not
creating general case law for every instance concerning an obligation to prevent. It should be determined on a case by case basis how the obligation is specifically applied and when it is breached.131 In the case of the prevention of genocide, what is important to note is that it is an
obligation of conduct and not of result.
124 Antonopoulos, p. 66; Corfu Channel p. 22. 125 Antonopoulos, p. 65.
126 Corfu Channel, p. 22. 127 Idem.
128 Chircop, p. 644; Antonopoulos, p. 65. 129 Bosnian Genocide, p. 220-221. 130 Bosnian Genocide, par. 430. 131 Bosnian Genocide, par. 429.
Within the context of the ILC Draft Articles on the Prevention of Trans-Boundary Harm, the ILC shares the view of the ICJ that the obligation of due diligence constitutes an obligation of conduct, and not of result: a State would have to take action that is ‘appropriate and proportional to the degree of risk of trans-boundary harm in the particular instance’.132 Again,
it is shown that the application of the obligation of due diligence is wholly dependent on the specific circumstances of the case.
The International Tribunal of the Law of the Sea called the principle of due diligence a ’variable concept’, and emphasized that “the standard it may set may change as a result of scientific and technological developments as well as the risks involved in a particular activity.”133 This award further strengthens the notion that the principle of due diligence is one
which needs to be assessed while taking into account all relevant circumstances, including technological ones.
The principle has been left out of the ARSIWA, since the ILC considers the obligation of due diligence a primary obligation, giving content to an international obligation.134 The
International Group of Experts that came together and created the Tallinn Manual 2.0, does elaborate on the principle in Rule 6 and 7, however they refrained from stipulating a clear threshold for breach of the obligation and thus leaving it open for interpretation.135 Yet they
do confirm that the principle is relevant in cyberspace, and share the view of the ILC that the principle constitutes a primary obligation under international law.136
Certain scholars challenge the view by the ILC and IGE that due diligence is a primary obligation under international law, and propose a different notion.137 In the next paragraph, an
attempt will be made to weigh these views in the application of due diligence to cyberspace.
3.2 The application of the Corfu Channel case to cyberspace
As discussed above, the principle of due diligence stems from the ICJ’s Corfu Channel judgment.138 It has been widely accepted that this obligation applies in cyberspace, and the
IGE has codified the doctrine with regard to cyberspace in Rule 6 and 7 of the Tallinn Manual
132 Antonopoulos, p. 66; ILC Draft Articles on the Prevention of Trans–Boundary Harm from Hazardous Activities [2001] A/56/10, 154.
133 Antonopoulos, p. 66; Responsibilities and Obligations of States Sponsoring Persons and Entities with respect to Activities in the Area (Advisory Opinion) [2011] ITLOS Sea Bed Disputes Chamber, para. 111, 117. 134 Chircop, p. 644; ILC Articles and Commentary, p. 31.
135 Chircop, p. 651; TM 2.0 Rule 6 and 7. The IGE merely mentions “serious adverse consequences” as a prerequisite for State action against certain conduct.
136 TM 2.0 Rule 6, par. 6. 137 Chircop, p. 645. 138 Corfu Channel, p. 22.
2.0. 139 However, the exact application of this obligation differs on a case by case basis, and
depends on the particular circumstances regarding conduct stemming from a State’s territory.140 Therefore it merits assessment to establish how the principle exactly is applied in
cyberspace.
Due diligence flows from state sovereignty, in the sense that every State exercises control over its territory, including the infrastructure and activities within that territory.141 However, it
is unrealistic to expect a State to have complete control over every single piece of infrastructure or activity. According to the ICJ in its Corfu Channel judgment, knowledge of the existence of injurious conduct cannot be imputed to a State merely by the presence of that conduct’s source on the State’s territory.142 At the same time, States cannot simply use their
ignorance as an excuse to avoid responsibility.143
So when exactly is the obligation breached within the context of cyberspace? As one scholar puts it: “A due diligence failure occurs when a State has knowledge of a cyber operation being carried out from within its territory, contrary to the rights of, and having adverse effects on another State, and fails to take reasonable measures to prevent it.” 144 The different
elements presented here deserve further scrutiny.
Knowledge of an injurious act can be both actual, and constructive.145 Actual knowledge
concerns the situation where State organs such as, for example, intelligence agencies had knowledge of certain conduct.146 Since this is not always possible to prove, the IGE introduces
the concept of constructive knowledge. Constructive knowledge is the type of knowledge that was attributed to Albania in the Corfu Channel judgment147 and is achieved when “the factual
circumstances are such that a State in the normal course of events would have become aware.”148 However, determining whether a State was aware of certain conduct remains a very
technical matter. It goes without saying that assuming a State’s knowledge of certain conduct cannot take an unreasonable form.149
139 Chircop, p. 644; TM 02 Rule 6. 140 Bosnian Genocide, par. 430. 141 Antonopoulos, p. 63; TM 01 25-26.
142 Antonopoulos, p. 63; Corfu Channel Case par. 4, 18. 143 Corfu Channel, p. 18.
144 Chircop, p. 645.
145 TM 2.0 Rule 6, par. 37, 39; Chircop p. 650. 146 TM 2.0 Rule 6, par. 37.
147 Corfu Channel, p. 22. 148 TM 2.0 Rule 6, par. 39. 149 Chircop, p. 650.
The IGE noted in its Tallinn Manual 2.0 that ‘harmful conduct’ is not a general threshold which results in a breach of due diligence when met.150 ‘Contrary to the rights of another
State’ can be defined as conduct that, if the State would have exercised that conduct, would breach an international obligation owed to the target State.151 This is cumulative to the
element of adverse effects which certain conduct must have.152 Taken all together, this limits
the reach of its scope to those cyber activities which are significant (in that they meet the gravity threshold) and are regulated by international law.153
The final element concerns the feasibility of State action preventing the injurious conduct. As the IGE noted when discussing its Rule 7, “the feasibility of particular measures is always contextual.”154 Feasibility depends on the technological development of a State, the capacity it
can devote to such operations, and the degree of control it generally exercises over its cyber infrastructure.155 The IGE rejected the idea that an obligation of due diligence requires
preventative measures.156 As we have seen previously, the use of governmental infrastructure
cannot of itself be a reason to attribute.157 The IGE draws a comparison with kinetic weapons:
cyber infrastructure can be obtained by a third party. But this is where due diligence must come into play: a State must prevent its infrastructure from being used by malicious actors. The same can be said about operations that have been routed through governmental infrastructure: a State has the obligation to prevent its infrastructure to be used by malicious actors. This includes, for example, ensuring that governmental infrastructure has the highest standard of security. However, this is clearly a step too far for the IGE: they regard due diligence in cyberspace as an obligation of conduct but only to the extent that a State has to exhaust all feasible measures to terminate a cyber attack once it has commenced.158 Other
writes disagree, however, and state that States have the obligation to take preventive measures in concrete cases of risk.159 Additionally, they argue that according to article 7, 8 and 9 of
Articles on Prevention Of Transboundary Harm a State must undertake the following actions:
150 TM 2.0 p. 36. 151 TM 2.0 Rule 6, par. 15. 152 Idem. 153 Chircop, p. 651. 154 TM Rule 7, par. 16. 155 Idem. 156 TM 2.0 Rule 7, par. 13.
157 TM Rule 7; Tikk, Kaska, Vihul, p. 75.
158 Liu I. (2017) “The Due Diligence Doctrine under Tallinn Manual 2.0.” Computer Law & Security Review, vol. 33, no. 3, p. 394.
159 Ziolkowski K, ‘General Principles of International Law as Applicable in Cyberspace’ in: Ziolkowski K., Peacetime Regime for State Activities in Cyberspace. NATO CCD COE (2013), p. 166.
Risk assessment;
Notification and information in cases of risk of causing significant transboundary harm;
Consultation on preventive measures.160
The foregoing strengthens this writer in its stance that there exists an obligation to undertake preventive measures even before malicious cyber conduct as occurred.
3.3 A reversed burden of proof
In chapter two we discussed the difficulties that attribution in cyberspace raises when proving the nexus of certain conduct and an actor. In order to avoid these technical difficulties in bringing together evidence, the avenue of due diligence is proposed in the paragraphs above. However, this raises the question whether the same evidentiary difficulties also rise with attempting to establish international responsibility through a breach of due diligence. This paragraph looks into that question.
The evidentiary standards for breaches of due diligence obligations can be found in the Corfu Channel case, where the ICJ shared its considerations regarding this matter.161 In the previous
paragraph we already mentioned that a State cannot be imputed with knowledge of an act simply because it originates from its territory. 162 The Court does recognize, however, that
since the act stems from territory that is within the exclusive territorial control of a State, this has consequences for the methods of proof available to the target State.163 In this respect, it
awards the target State with “a more liberal recourse to inferences of fact and circumstantial evidence.”164 So it is clear that due diligence requires a less strict approach with regard to
proof, since there exists the possibility of few direct access to evidence by the target State. Combined with the peculiarities of cyberspace, and the technical difficulties of creating a convincing evidence pack, this raises the question what threshold is applicable to cases in cyberspace. What is certain, however, is that the Court requires evidence that is “fully conclusive.”165 Yet this does not tell us much regarding the specific evidentiary demands
160 Articles 7, 8 and 9 of ILC Draft Articles on the Prevention of Trans–Boundary Harm from Hazardous Activities [2001] A/56/10.
161 Corfu Channel, p. 18. 162 Idem.
163 Idem. 164 Idem.
required for a successful allegation of breach of due diligence. This is more a generic threshold than a clear guideline.166 In Corfu Channel, the Court required evidence that leaves
‘no room for reasonable doubt’.167 Yet with regard to the prevention of genocide, the Court
required proof ‘at a high level of certainty’.168 This fits in the ‘general agreement’, as Judge
Higgins calls it, that the graver the charge, the higher threshold of evidence is required.169
We therefore need to look at the specifics of cyberspace and the element of due diligence therein to make an assessment of the required standard of evidence. Where we looked in chapter two at evidence for attribution, we now deal with a different paradigm. With a focus on due diligence instead of attribution of conduct, the evidentiary process changes completely. It dispenses with the difficulty of attributing acts of individuals to a State.170 This
is because the subject of proof is an omission to act, and not an act. 171 As we saw in the
previous paragraph, constructive knowledge can be sufficient to impute an omission to act to a State. Flowing from this constructive knowledge is the obligation to take feasible measures.172 There still needs to be the process of tracing back the activity to a certain
territory, yet the intricacies of linking certain conduct to a person or a State directly is no longer required.
Scholars disagree whether constructive knowledge is triggered as soon as certain conduct originates from a State’s territory. Opponents to this idea, including the IGE that composed the Tallinn Manual 2.0, argue that cyber operations can be routed through a State’s territory without their knowledge and therefore should not be held responsible.173 Proponents,
however, tend to look at the matter more from the target State’s perspective. When a target State has notified another State of malicious cyber activity stemming from its territory, absence of knowledge should no longer bar the target State’s right to demand cessation of injurious cyber conduct.174 In such cases, it is argued, the only instance where a territorial
State is not responsible for the cessation of such conduct, is when it stems from a location outside its jurisdiction like, for example, diplomatic premises.175 Extending this argumentation
166 Tsagourias, Cyber Attacks, p. 235; Separate Opinion of Judge Higgins in Case Concerning Oil Platforms (Islamic Republic of Iran v USA) (Merits) [2003] ICJ Rep 161, par. 33.
167 Corfu Channel, p. 18. 168 Bosnian Genocide, par. 210.
169 Separate Opinion Judge Higgins, par. 33. 170 Antonopoulos, p. 56.
171 Antonopoulos, p. 66. 172 Idem.
173 Chircop, p. 649; TM 01 Rule 8; Roscini, M. “Evidentiary Issues In International Disputes Related To State Responsibility For Cyber Operations.” Texas International Law Journal, vol. 50, no. 2-3 (2015), p. 248. 174 Antonopoulos, p. 64.
even further, this could lead to a shift of the burden of proof from the target State to the territorial State.176
The majority of scholars have, however, rejected this line of reasoning. Their argument is that reversing the burden of proof might “lead to wrong and even absurd results … and to the denouncing of wholly uninvolved and innocent States.”177 It seems to go against what can
reasonably expected from a State when it comes to knowledge of cyber conduct stemming from its territory. Even though the constructive knowledge requirement is not a clear threshold in every case imaginable, a threshold of reasonability might help with complicated cases.
176 Antonopoulos, p. 64.
Conclusion
What started out as a search for the true meaning of attribution, has resulted in the research above. In order to determine the applicability of the framework for establishing State responsibility in cyberspace, we have first of all outlined the framework in general and more specifically the parts that are most relevant for this specific research in cyberspace. Due to the increased possibilities for anonymity in cyberspace, it becomes more difficult to pinpoint the nexus between an entity and a State or certain conduct and a State.178 Therefore we looked
specifically at Articles 4 and 8 of the ARSIWA, which entail the attribution of conduct to a State either based on the fact that such conduct is executed by a de jure or de facto organ, or based on effective control by a State over such conduct. It has become clear that for conduct in either of the cases regarding de facto organs or attribution ex Article 8, there exists a very restrictive control test formulated by the ICJ. With regard to other international courts and tribunals, they have formulated other control tests which they found to be more suitable for specific instances. However, the ICJ has “authoritatively settled the debate” in favour of the effective control doctrine.179
Looking at the application of the framework of State responsibility to cyberspace, it has become clear that the legal difficulties with attribution in cyberspace are not particular to cyberspace. Just as strict control or effective control is difficult to prove in traditional cases, so it is equally difficult to legally attribute conduct to a State. What is different, however, is how one arrives at the process of legal attribution. In cyberspace, the evidentiary process is highly technical in nature. The ability of actors to disguise themselves when conducting malicious operations is unique for cyberspace and decreases the chances of successful attribution.180 Additionally, the tendency of malicious actors to use a multi-stage approach
further diminishes the success rate. Thirdly, identifying the source of conduct in some cases is only possible during the operation itself and becomes futile after the activity has ended, creating enormous time pressure. The aspects that give cyberspace its increased difficulty for attribution are therefore not a legal one but a technical one.
However, the conclusion that the problem with attribution in cyberspace is not a legal one but a technical one does not help with attributing responsibility for wrongful acts in cyberspace. Therefore, an alternative route is proposed in the avenue of due diligence. The core of this international obligation can be found in the ICJ’s Corfu Channel case, and entails that States
178 Antonopoulos, p. 63. 179 Messineo, p. 6.
should not knowingly let their territory be used for activities that are harmful to other States.181 Applying this principle to cyberspace, one comes to the conclusion that at the very
least States must take all reasonable measures to stop injurious cyber conduct stemming from its territory, once that State has knowledge of that activity.182 Such knowledge can be either
actual knowledge, where a State in fact knows that a cyber operation is being executed from its territory, or constructive knowledge, where a State should know or should have known that such activity is taking or had been taking place.183
Summing up, one can conclude that the framework of establishing responsibility for conduct by a State is entirely applicable to cyberspace. Yet, due to technical issues regarding evidence the practical use of the framework is not always possible. In such circumstances, attributing responsibility on another State could happen through the avenue of due diligence. However, this road comes with its own hurdles, making it far from a golden ticket.
181 Corfu Channel, p. 22. 182 Liu, Due Diligence, p. 394. 183 TM 2.0 Rule 6, par. 37.
