The Law & Politics of Cyberattack Attribution

64 Pages Posted: 23 Sep 2019 Last revised: 2 Oct 2019

See all articles by Kristen Eichensehr

Kristen Eichensehr

University of California, Los Angeles (UCLA) - School of Law

Date Written: September 15, 2019

Abstract

Attribution of cyberattacks requires identifying those responsible for bad acts, prominently including states, and accurate attribution is a crucial predicate in contexts as diverse as criminal indictments, insurance coverage disputes, and cyberwar. But the difficult technical side of attribution is just the precursor to highly contested legal and policy questions about when and how to accuse governments of responsibility for cyberattacks. Although politics may largely determine whether attributions are made public, this Article argues that when cyberattacks are publicly attributed to states, such attributions should be governed by legal standards. Instead of blocking the development of evidentiary standards for attribution, as the United States, United Kingdom, and France are currently doing, states should establish an international law requirement that public attributions must include sufficient evidence to enable cross-checking or corroboration of the accusations. This functionally defined standard harnesses both governmental and non-governmental attribution capabilities to shed light on states’ actions in cyberspace, and understanding state practice is a necessary precondition to establishing norms and customary international law to govern state behavior. Moreover, setting a clear evidentiary standard for attribution in the cybersecurity context has the potential to clarify currently unsettled general international law on evidentiary rules. The Article also engages debates about institutional design for cyberattack attribution. Companies and think tanks have made several recent proposals for an international entity to handle attribution of state-sponsored cyberattacks. Although these proposals have much to recommend them, the Article argues that such an entity should supplement, not replace, the current decentralized system of attribution. Having a multiplicity of attributors—both governmental and non-governmental—yields a greater likelihood that public attributions will serve the goals that attributors aim to achieve, namely strengthening defenses, deterring further attacks, and improving stability in and avoiding conflict over cyberspace.

Keywords: cybersecurity, cyber, cyberattack, cyberspace, attribution, international law, evidence, WannaCry, NotPetya, standard of proof, Tallinn Manual

Suggested Citation

Eichensehr, Kristen, The Law & Politics of Cyberattack Attribution (September 15, 2019). UCLA Law Review, Vol. 67, (2020, Forthcoming); UCLA School of Law, Public Law Research Paper No. 19-36. Available at SSRN: https://ssrn.com/abstract=3453804

Kristen Eichensehr (Contact Author)

University of California, Los Angeles (UCLA) - School of Law ( email )

385 Charles E. Young Dr. East
Room 1242
Los Angeles, CA 90095-1476
United States

Register to save articles to
your library

Register

Paper statistics

Downloads
145
Abstract Views
999
rank
202,511
PlumX Metrics