Sovereignty and Cyber Attacks: Technology's Challenge to the Law of State Responsibility
26 Pages Posted: 31 Jan 2015
Date Written: January 29, 2015
Cyber threats pose fresh challenges to sovereignty and to international law on state responsibility. In addressing kinetic attacks, international law defines state responsibility narrowly. A party asserting that a state is responsible for a kinetic attack must comply with the “effective control” test adopted by the International Court of Justice in its Nicaragua decision, or at the very least with the “overall control” test adopted by the International Criminal Tribunal for the former Yugoslavia in Prosecutor v. Tadic. Driven by concerns about the risks of escalation, the International Law Commission’s Draft Articles on State Responsibility hardened this narrow approach. The recently published Tallinn Manual on the International Law Applicable to Cyber Warfare tracks the ILC’s analysis.
While the Tallinn Manual is an exceptionally valuable effort to apply lex lata to the fluid cyber realm, caution may not serve international law in this context. Cyber reflects what I call attribution asymmetry: cyber threats from private groups assisted by states are both more difficult to trace than kinetic attacks for victims, and easier to control for the state providing the assistance. Because of this asymmetry, the international law on state responsibility for kinetic attacks is inadequate for cyber attacks. A test of virtual control would be more effective, imposing responsibility on a state that has provided financial or other assistance to private groups. The virtual control test will deter states from using private groups to engineer plausible deniability. This heightened deterrence provides a more useful template for the development of international law in the cyber domain.
Suggested Citation: Suggested Citation