The nature of cyberspace not only offers diverse means for the attackers to inflict harm on their victims, but also allows them to conceal their identity in a way that would not be possible offline. The attribution of cyberattacks presents technical, legal, and political challenges, nonetheless it is a necessary prerequisite for holding actors accountable for malicious activity and ensuring peace in cyberspace.
First of all, the identification of the machine – or the machines – that were used to carry out a cyberattack is rather complex due to the decentralized structure of the Internet and the multiple possible vectors of attack. Government agencies, law enforcement, and private companies have progressively refined their capacity to attribute cyberattacks thanks to the ability to collect, analyze, and match specific sets of TTPs Tactics, techniques, and procedures (TTPs) are the patterns of activities or methods associated with a specific threat actor or group of threat actors with APTs Advanced Persistent Threats (APTs) stands for a type of targeted and persistent cyber operations carried out by adversaries with considerable technical expertise and large resources or criminal groups. The identification phase is of crucial importance and should not be underemphasized, however, the key challenge for accountability revolves around what measures are actually taken against the identified actors. While further improvements in terms of identification capabilities are surely necessary and desirable, ensuring accountability in cyberspace ultimately remains a legal and political challenge.
This translates into both being able to ascribe to a perpetrator the legal responsibility of a cyber operation and enforce law or a norm of behavior by punishing the ones found guilty. Domestic, regional, and international legal systems have evolved, adapted, and are interpreted to respond to the realities of cyber operations. For example, as of January 2022 See Council of Europe, “The global state of cybercrime legislation 2013 – 2022: A cursory overview,” available from https://rm.coe.int/3148-1-3-4-cyberleg-global-state-jan2022-p/1680a564bb, the vast majority States have adopted specific cybercrime legislation, discussions for a new UN international convention on cybercrime are proceeding apace, and consensus has been reached on the applicability of international law to the use of Information and communication technologies (ICTs) by States. Nevertheless, the diverse nature of cyber operations poses thorny interpretive challenges on how the relevant rules apply.
For instance, according to the existing norms on responsibility – entailed in the International Law Commission’s Articles on the Responsibility of States for Internationally Wrongful Acts (LC’s ARSIWA) and various judgements Notably, the Nicaragua (1986), Tadić 1997), Armed Activities (2005), Bosnian Genocide (2007) cases of the International Court of Justice (ICJ) and the International Criminal Tribunal for the former Yugoslavia – the legal attribute cyber operations to a state can be quite challenging and the spectrum of state responsibility for malicious attacks hard to define. For example, governments would typically back a group of cyber criminals to conduct cyber operations on their behalf, nonetheless, the degree of state control – thus the “interaction” – necessary to encourage and prompt non-state actors may be such that it does not trigger the responsibility of the state under international law norms. This and other questions render even legal attribution particularly thorny to the point that both attribution and accountability – while sometimes supported and informed by international law argumentations – are oftentimes a political decision.
Technical difficulties, the lack of efficient legal instruments, lack of international collaboration, or uncertainty about their interpretation often results in governments not being able to hold malicious actors accountable.
In addition, political considerations are another major hindrance to ensuring accountability. Governments will take into account the consequences of publicly attributing a cyberattack to a state, perhaps considering the potential destabilization of bilateral and multilateral relations, or even fearing further attacks. Similarly, attributing responsibility to a non-state actors operating within the borders of a certain state could also raise tensions between governments or provoke additional misbehavior from the threat actor.
Highlighting The Impact of Cyber Threats, Stressing Urgency to Ensure Accountability
That being said, the impact of cyberattacks has been constantly rising in terms of both severity of the damages and number of victims, and the challenge of accountability needs to be prioritized by decision-makers at all levels. Indeed, even when the attribution of a cyberattack is successfully conducted, there are too little or no enforcement efforts. Such substantial lack of accountability impact not only states and organizations, but also individuals whose protection and security should be at the core of governments’ mission. There is an urgent need to consider attribution not an end itself, but mostly a mean to holding malicious actors accountable.
Calling For Governments to Take on The Above mentioned Challenges
The technical identification phase needs to be further improved and enhanced it is at the base of the entire process of ensuring accountability. Governments should invest in the cybersecurity sector to improve their capabilities and promote public-private cooperation that has proven a key factor for attributing cyberattacks on many occasions.
In order to promote accountability, it is also necessary that states further commit to the development of a sound legal framework to address cyber threats. This would mean engaging in diplomatic fora to further elaborate on how they interpret the application of international law to cyberspace, building and informing response measures and enforcement accordingly to applicable norms, and strengthening global capacity-building measures providing law enforcement agencies with adequate legal instruments to hold cybercriminals accountable.
Additionally, it is fundamental that governments – supported by a broad set of stakeholders – design and implement transparent frameworks of response to malicious use of ICTs. In the range of measures to be taken against the responsible parties, governments should envisage diplomatic means like condemnatory statements followed by sanctions or retorsions depending on both the nature of the responsible actor and its conduct. These have to become a norm, not an exception. Response measures targeted to individuals, groups, or governments need to be respectful of international law and be tailored to punish the aggressors and discourage similar kind of misconduct. In this light, the EU sanctions regime evolved from the 2017 Cyber Diplomacy Toolbox  Council of the European Union, “Draft Council Conclusions on a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (‘Cyber Diplomacy Toolbox’),” available from … Continue reading represents a virtuous measure for ensuring accountability in cyberspace. Similarly, the US has contributed to the recent trend of judicialization The judicialization of attribution consist in charging identified state agents for a cyber operation, and thus indirectly attributing the operation to a State. On 6 September 2018, the US Department … Continue reading of attribution by charging identified individuals for specific misbehaviors, attempting to holding them accountable.
Governments should live up to their duty to protect individuals, thus not only assuming the political costs of publicly attributing a cyberattack, but also employing all the available means to hold the responsible actors accountable. The question of accountability remains a crucial one for ensuring stability in cyberspace and the international community must further address this challenge in a consistent why taking into account the diverse views and interest of the broad community of stakeholders.
Klara JORDAN, Chief Public Policy Officer, with the support of Lapo MORIANI, intern in the Advancement team of the CyberPeace Institute.
ICJ, Military and Paramilitary Activities in and against Nicaragua (Nicaragua v. United States of America) (Merits)  ICJ Reports 14. [In the footnotes: Nicaragua case.]
ICTY (Trial Chamber) Prosecutor v. Dusko Tadić (Trial Judgment)  IT-94-1-T. [In the text: Tadić case.]
ICJ, Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v. Uganda) (Judgment)  ICJ Reports 168. [In the footnotes: Armed Activities case.]
ICJ, Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v. Serbia and Montenegro) (Judgment)  ICJ Reports 43. [In the footnotes: Bosnian Genocide case.]
|Tactics, techniques, and procedures (TTPs) are the patterns of activities or methods associated with a specific threat actor or group of threat actors
|Advanced Persistent Threats (APTs) stands for a type of targeted and persistent cyber operations carried out by adversaries with considerable technical expertise and large resources
|See Council of Europe, “The global state of cybercrime legislation 2013 – 2022: A cursory overview,” available from https://rm.coe.int/3148-1-3-4-cyberleg-global-state-jan2022-p/1680a564bb
|Notably, the Nicaragua (1986), Tadić 1997), Armed Activities (2005), Bosnian Genocide (2007) cases
| Council of the European Union, “Draft Council Conclusions on a Framework for a Joint EU Diplomatic Response to Malicious Cyber Activities (‘Cyber Diplomacy Toolbox’),” available from https://data.consilium.europa.eu/doc/document/ST-9916-2017-INIT/en/pdf. On 30 July 2020, based on the Cyber Diplomacy Toolbox, the Council of the European Union unanimously imposed restrictive measures against six individuals and three entities that have been found responsible for or involved in various cyber-attacks against EU Member States. Details available from https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32020D1127&from=EN
|The judicialization of attribution consist in charging identified state agents for a cyber operation, and thus indirectly attributing the operation to a State. On 6 September 2018, the US Department of Justice announced formal charges against a North Korean citizen for his involvement in known malicious cyber operations including the Sony Pictures Entertainment Hack, Central Bank Cybertheft in Bangladesh and WannaCry. Details available from https://www.justice.gov/opa/press-release/file/1092091/download