Introduction
In the 21st century, cyberspace has emerged as a crucial sphere of international law, providing states with novel means to exert influence and pursue strategic political, economic and military objectives. Today, over thirty countries are capable of successfully employing cyber tools as weapons. A range of non-state actors (NSAs), such as individual hackers and cyber-criminal groups, exist within this environment as well. While some have their independent agendas, others operate with varying degrees of support for a State and its policy objectives. Frequently, States depend on non-state proxies to execute cyber operations on their behalf. Most scholars and states concur that state responsibility in cyberspace falls under the purview of international law. However, its interpretation must adapt to the unique features of the advancing technology. Therefore, it is pertinent to address the challenges surrounding the attribution of cyber-attacks, especially concerning the question of state responsibility. The Articles on Responsibility of States for Internationally Wrongful Acts (ARSIWA) provides a fundamental framework in this regard. In this article, I propose expanding Article 8 of ARSIWA to enhance state accountability and strengthen the international law response to cyberattacks.
The article begins by comprehensively examining the gaps in Article 8, ARSIWA, in the context of cyberspace. Next, I argue for the expansion of Article 8 as a recommended solution, applying it to the DarkSide ransomware attack. This case study is solely for academic and illustrative purposes to demonstrate the practical application of the proposed reform.
The Inadequacy of Article 8 of ARSIWA in the Cyberspace Realm
Cyber attribution is riddled with two significant challenges: identifying the technical source and those culpable for the attack, and addressing the legal question of when such attribution can render a state liable under international law. This is largely due to the distinctive characteristics of cyber-attacks, i.e. “boundlessness and anonymity of the cyber domain.” This complicates jurisdiction and enforcement processes. Attackers may often employ various deception techniques to obscure their identities and shift blame with ease.
ARSIWA is a legal framework which entails international customary law practices. It codifies “general international law standards of attribution.” I specifically focus on Article 8 of ARSIWA, which contains three disjunctive standards of attribution to establish a “factual” relationship between NSAs and the State: instructions, direction and control. However, certain obstacles emerge when applying this provision to cyber operations.
Firstly, the “instruction” standard appears to be problematic in the digital domain since, for it to be satisfied, the instructions should be conveyed in a manner that signals the State’s clear intention to permit the unlawful act. As held in the Bosnian Genocide case, the instructions must be provided specifically ‘in respect of each operation in which the alleged violations occurred.’ Moreover, the NSA must be “factually subordinate” to the state at the time of the wrongdoing for attribution. This implies that the NSA must receive specific instructions from the state and adhere to those instructions to carry out the act for attribution. Therefore, this test serves as a high and narrow threshold. It is further complicated in the case of cyber-attacks, where States can, utilising the sophisticated technologies available today, instruct NSAs to carry out cyber-attacks in ways that leave little to no evidence of their direct involvement. These instructions might be communicated through encrypted channels, dark web forums, or other indirect methods.
Additionally, the anonymity inherent in cyber activities makes it possible for states to deny any connection, complicating efforts to prove that they orchestrated specific actions or provided clear directives. Moreover, establishing “factual subordination” in the realm of cyber-attacks is challenging. It requires strong evidence that an NSA is following a state’s orders when executing a particular operation. However, NSAs usually function in decentralised and flexible networks. In the absence of a clear chain of command, demonstrating a direct link between these NSAs and a state is complex. The problem is compounded when States deliberately provide vague or overly broad instructions to NSAs. This ambiguity, aggravated by the difficulty in tracing down explicit instructions in the digital domain, provides States with a convenient way to argue that the harmful actions were outside the scope of their directives or “ultra vires”, thus escaping attribution under international law.
Secondly, following from the Bosnia case, for the “direction” standard to be met, there is a requirement for a continuous relationship between the State and the NSA, rather than a one-time issuance of directives without ongoing oversight. However, this continuity is very difficult to prove in cyberspace. Cyber operations may not always require continuous communication or oversight. Additionally, unlike traditional military operations, where physical or documentary evidence can establish a clear chain of command, advances in technology have made it onerous to secure such proof of ongoing coordination.
Thirdly, the “control” test is another “autonomous” standard. This provision entails the “effective control” test, which was developed in the Nicaragua case and reaffirmed in the Bosnian Genocide case. Under this test, to attribute an internationally wrongful act to the State, the State must be involved in planning the operation, selecting targets, extending operational support and maintaining control over its beginning, execution, and conclusion. Further, the group must not demonstrate any “autonomy”, therefore, “being completely dependent” on the State. I argue that this sets an extremely high threshold, significantly limiting State liability and enabling use of proxies to evade responsibility. In the Nicaragua case, the ICJ held that although USA provided financial, logistical assistance and military support, the control was insufficient to attribute the act to the State.
Crucially, currently, even instigating or encouraging an act is not sufficient for attribution under this standard. It appears inconsistent that a State can encourage cyber attackers through monetary means, training, and making public statements to subtly incite patriotic groups without any risk of attribution under this Article. This accountability gap can allow States to, by using proxies, advance their own strategic interests, such as destabilising rival states and enhancing geopolitical influence through critical infrastructure hacks, attaining economic advantage through theft of intellectual property by economic cyber espionage, etc. This substantial indirect state influence in the cyber domain is inadequately dealt with by Article 8.
A Proposed Solution- The Way Ahead
As established above, Article 8, as it currently stands, allows States significant leeway to use non-state proxies for cyber operations without accountability. This presents a critical issue that must be addressed promptly.
To tackle these shortcomings, I propose expanding the provision by adding an alternate layer of accountability that attributes responsibility to States for acts of NSAs in the cyberspace context. This framework would result in attribution when (1) it has knowledge—whether actual or constructive—of wrongful cyber-attacks emanating from within its jurisdiction or facilitated by its resources; (2) it has the capacity to act but fails to take reasonable measures to mitigate the conduct, and (3) Such deliberate and repeated inaction concerning the NSAs’ cyber operations is contrary to the rights of the injured State and results in “serious adverse consequences” This can be added as an alternative basis of attribution for cyber-attacks.
This proposal aims to incorporate the State’s “obligation” of due diligence and the principles laid down in the Tallinn Manual 2.0 (hereinafter Manual), a comprehensive framework enumerating the international law on Cyber operations. Under this duty, States are obligated to ensure their territory is not “knowingly” used for actions that infringe upon the rights of other States. This obligation was emphasised by the ICJ in the Corfu Channel case. Due diligence is enshrined in Rule 6 of the Manual, which notes that this principle is rooted in the core idea of a state’s territorial sovereignty.
In alignment with the view of the experts behind the Manual, that actual and constructive knowledge can bind a state under the due diligence requirement, Criteria (1) recognises that actual knowledge of the wrongful cyber-attack can arise through official notifications from other states, intelligence reports, open-source investigations, etc. Constructive knowledge can be established by showing that the State had access to sufficient tools or resources, such as intelligence systems, that would reasonably have enabled it to detect a cyber operation occurring within its territory, yet failed to do so. A state cannot merely say, “We did not know” to evade responsibility. However, to ensure that there is no misuse of this criterion, the burden of proof to show knowledge lies on the accusing State.
Criteria (2) is reflective of rule 7 of the Manual and the very essence of due diligence, i.e. it is an “obligation of conduct”, and every “feasible measure” must be taken by a State to prevent its territory from being utilised for activities that infringe upon the rights of other states. Criteria (3) lays down two important things. Firstly, there must be a State’s consistent failure to take reasonable steps and not an isolated incident. Inaction must persist over a significant period, giving the state enough time to respond once it becomes aware. Moreover, the threshold of harm has been imported from Rule 7 of the Manual and does not extend to “inconvenience or minor disruption”, thus setting a rigorous safeguard threshold.
The rationale underlying this proposal, as outlined above, is that the three tests in Article 8 present significant limitations for attributing cyber-attacks to States, creating a need for an alternative framework of accountability. Linking the mere obligation of due diligence with attribution under Article 8 makes states less likely to turn a blind eye to cyber operations emanating from their territory. It creates stronger incentives for states to actively address such operations.
Attribution in Practice: Russia and the DarkSide Ransomware Operation
Applying the proposed expanded framework to a real-world scenario, Russia could have been held responsible for the non-state criminal cyber group- DarkSide’s ransomware attack on the Colonial Pipeline in the US, which was the “worst cyberattack to date on critical US infrastructure.” The FBI confirmed that DarkSide was responsible for the Pipeline attack.
While existing attribution standards did not permit the FBI to conclusively establish Russia’s responsibility for the cyber-attack., the proposed revision of Article 8 underscores how a more inclusive framework could enable such accountability. Russia could be imputed with constructive knowledge because there have been numerous cyber-attacks by DarkSide over the years before 2021, estimating no less than $90m in ransom payments from 47 victims. Moreover, in November 2020, the Russian operator “Darksupp” advertised DarkSide’s RaasS platform on well-known Russian-language cybercrime forums like exploit.in and xss.is. As major platforms for cybercriminal activity, these forums likely increased the visibility of DarkSide’s operations and could have, as a reasonable measure, been monitored. DarkSide also maintained a blog on the dark web where they publicly listed their victims and employed the threat of leaking stolen data to coerce them into paying ransoms.
Thus, they were operating fairly openly, and Russia could have reasonably known of them due to its “capacity to act”, as evidenced by its REvil Ransomware crime group arrest. This Russian link has also been publicly mentioned by President Biden, who noted that the actors were likely based in Russia. The sustained inaction on the part of Russia, despite having the capacity and opportunity to act, raises concerns regarding whether the State may have perceived certain political or strategic gains from allowing such activities to persist. The severe harm threshold also appears to have been met since 45% of the fuel used on the East Coast is carried by the pipeline, and a ransom of $4.4 million in Bitcoin was obtained. The current view is that Russia acts as a safe haven for such attacks and appears to be tacitly encouraging such cyber operations to destabilise the West. Had the expanded version of Article 8 been in effect, Russia’s compliance with its due diligence obligations would likely have been stricter. The possibility of direct legal responsibility for DarkSide’s cyberattacks would have served as an impetus for responsible cyber governance.
Conclusion
As cyberspace continues to evolve, there is a growing need to develop modified norms of attribution that better align with the digital realm. The proposed expansion of Article 8 of ARSIWA is a significant step in holding states accountable and preventing them from unfairly leveraging NSAs to further their self-serving motives. More initiatives like this are the need of the hour.
Svastika Khandelwal is a third-year law student at National Law School of India University, Bangalore, with a keen interest in international law, technology governance, and the evolving legal challenges of cyberspace.
Picture Credit: The National Cybersecurity and Communications Integration Center in Arlington, Va.Credit…Evan Vucci/Associated Press
Jindal Forum for International and Economic Laws 