Legal Obligations of States Directly Affected by Cyber-Incidents

38 Pages Posted: 10 Mar 2015

See all articles by Oren Gross

Oren Gross

University of Minnesota Law School

Date Written: March 9, 2015


Much has been written in recent years about cyberspace as a new domain for warfare. The magnitude of the threats cannot be underestimated. Cyber attacks can disable whole countries (e.g., Estonia) as well as companies (e.g., Sony) and cyber-security incidents in sectors such as communications, finance, transportation and utilities can have catastrophic consequences.

The discussion to date has tended to focus on two common conceptions. First, regardless of the failure to arrive at widely accepted definitions of terms such as cyber “crime,” cyber “espionage,” cyber “attacks” and cyber “warfare,” they have mostly been regarded as willfully perpetrated, pre-meditated and intentional. Second, existing literature (certainly legal literature) has focused exclusively on the legal obligations of, and possible sanctions against, states and non-state actors that orchestrated cyber attacks.

In this article I offer radically different perspectives on both counts. First, the article recognizes that the harm to both computer networks and physical systems interconnected with them may be as catastrophic when the source of damage is not intentional but rather the result of human error or conventional threats. Second, I offer the first exploration and analysis of possible obligations that may be imposed not on the state (or non-state actor) that originated the attack, but rather on the directly affected state, i.e., the state that is the target of the attack or the cyber incident. I argue that imposing legal and technological responsibilities on the state that has been exposed to a cyber incident is warranted both as a matter of conceptualizing state sovereignty and due to the state’s various obligations to other states and the global community.

Thus, the article canvasses the possible bases for, and scope of, responsibilities that may be borne by states that are directly affected by cyber-security incidents before, during and after a cyber-security incident materializes.

Keywords: cyber attacks, cyber incidents, cyber warfare, national security, international law

Suggested Citation

Gross, Oren, Legal Obligations of States Directly Affected by Cyber-Incidents (March 9, 2015). Cornell International Law Journal, Vol. 48, 2015, Minnesota Legal Studies Research Paper No. 15-03, Available at SSRN:

Oren Gross (Contact Author)

University of Minnesota Law School ( email )

229 19th Avenue South, #430
Minneapolis, MN 55455
United States
612-624-7521 (Phone)
612-625-2011 (Fax)


Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
PlumX Metrics