Attribution in Cyberspace- A Fundamental Impasse for International Law?

The military principle of attribution in cyberspace has vexed international law for decades. This principle refers to the need for a cyber attack to be unquestionably tied to a state authority in order for relevant counter-attacks to permissibly follow. Yet cyber space is cloaked in anonymity and attacks are often conducted by civilians. In this context, what is the role of international law?

In 2007, a series of coordinated cyber attacks targeting Estonian networks crippled national systems for weeks. Crucial online systems such as banks, media outlets and government bodies were taken offline by sophisticated botnets, spam and similar forms of cyber maleficence. These cyber disruptions had real-world consequences across public and private sectors such as preventing government employees from communicating, economic damage, and ultimately resulted in the establishment of a new Estonian cyber defence department. In the aftermath of these attacks, it was largely presumed by Estonian authorities and indeed several other nations that the origin of these attacks could be tied to Russian aggression. Contextual clues suggested that the cyber attack followed a political row in retaliation to the relocation of a Soviet “Monument to the Liberators of Estonia” from the center of Tallinn, to a military cemetery on the outskirt of the city, an act which has condemned by Russian nationalists. The Kremlin however, has denied any involvement in these attacks, despite the origin of IP addressees prompting the attack being located in Russia.

The ambiguity underscoring these attacks and inability of Estonia to produce concrete evidence Russia was responsible points to a larger issue in cyberspace, embedding it in wider political discourses concerning shifting patterns of contemporary warfare. States find themselves in the difficult position of needing to respond to cyber-attacks, yet under the verbiage of international law, remain ill-equipped to address attacks which may came from state-sponsored bodies or civilian groups which evade attribution to the state itself. Attribution is a key principle of any military operation, allowing a state to direct its response towards an identified opponent. This caveat creates a degree of plausible deniability, whereby the burden of proof required to ‘blame’ Russia is impossible to acquire from the cyber-realm.

Crucially, innovation in the cyber realm continues to advance without a clear understanding of how State cyber strategies are to be understood as a use of force or indeed, if they qualify as force at all. A field once considered a fringe topic for international security, this exponential rise in cyber-attacks necessitates a more nuanced approach to their status under international law and the consequences of this phenomenon. Principally, the law as it stands lacks both universal definitions of many terms endemic to cyber discussions and a coherent normative framework setting limitations upon their use. This issue has been perhaps most concretely addressed by the Tallinn Manual-a NATO driven endeavour to clarify some of the most pressing issues across cyber debates, however this manual is non-binding nor does it represent an international consensus.

Thus a primary concern of States on the notion of cyber-attacks and their place within the wider context of international security has dealt with delineating clearly between the kinetic cyber -attacks (those which may correlate with forms of physical damage) and those which have non-kinetic end results, or in other words, aim to have effects in the cognitive rather than physical domain. What becomes clear is that a certain disparity exists between this perceived paradigm shift from infrastructural cyber-attacks to information manipulation emboldened by cyber means which aim to operate on a cognitive, rather than physical level.

Put simply, the full spectrum of cyber-attacks appears to encompass both comparably kinetic effects through the destruction of property, and non-kinetic effects based on psychological attempts to disturb the political decision-making process of an adversary. The observable difference in the end goal of these forms of attack calls into question the very relevance of many understandings of conflict in the cyber domain.

The two-tier approach is advanced due to the cyber domain being characterized by its fluid and fluctuating nature, resulting in some ‘lesser’ forms of enmities lacking thorough consideration. Indicative of this problematic juncture is that contemporarily, terms such as ‘disinformation’ and ‘fake news’ spread through social media platforms have entered the fora of terminology of cyberspace- by failing to adequately distinguish between kinetic and non-kinetic attacks, the threat landscape underpinning cyber will remain inchoate at best.

With wide-ranging cyber-attack objectives at play, international law has struggled to identify and contextualize these attacks within the traditional vocabularies of ‘force’ or ‘aggression’ that seek to limit escalation or abate conflict. Despite the variance in the forms of cyber-attacks playing out on the international stage, cyber debates have mainly proliferated in a reactionary fashion in response to attacks upon central organs of the State, which in turn, has prioritized the cyber threat agenda.