An International Attribution Mechanism for Hostile Cyber Operations?
96 International Law Studies __ (2020)
18 Pages Posted: 17 Jun 2020 Last revised: 18 Jun 2020
Date Written: June 16, 2020
This article is the result of an international research project to consider the feasibility of establishing an international attribution mechanism for hostile cyber operations, as well as the usefulness of such a body. The project’s workshops brought together academics and policymakers, including experts with relevant legal, political and technological professional backgrounds. Based on the ensuing discussions, we conclude that for the time being those states wielding significant cyber capability have little interest in creating an international attribution mechanism. Such states appear to be of the view that they can generate sufficient accountability and deterrence based on their independent technological capacity, access to expertise and to offensive (active defense) cyber tools, political clout, security alliances, and other policy tools, such as sanctions.
At the same time, countries with limited technological capacity and less ability to mobilize international support for collective attribution are more amenable to the prospect, especially as a tool for “naming and shaming” states. Furthermore, we are of the view that international organizations that have the ability to facilitate collective sanctions in relation to unlawful cyber operations directed against member states or their partners might appreciate an official finding of legal responsibility for a number of political and legal reasons in certain situations.
This article presents and examines several possible justifications for establishing an international attribution mechanism and its principal constituencies. Part II sets forth the general case for international fact-finding mechanisms in international law. Shortcomings of the existing processes for attributing responsibility for cyber-attacks are examined in Part III. Part IV reviews several proposals to establish an international attribution mechanism, while Part V examines the constituency for a new mechanism. Our overall conclusions appear in Part VI.
Keywords: cyber, attribution, ICT, state responsibility
Suggested Citation: Suggested Citation