As geopolitical tensions rise, cyber attacks are intensifying, with public services increasingly targeted. Over 130 countries have experienced cyber disruption. In recent years, ransomware attacks in Costa Rica crippled essential services for months. A cyber attack against Albania paralyzed the border entry system and revealed the identity of police informants. And a months-long ransomware attack on the Irish healthcare system disrupted radiation therapy for hundreds of cancer patients.
AI is “democratizing” cybercrime by making cyber tools, such as ransomware-as-a-service, easily available off the shelf. In addition to the human cost — including delays to hospital treatment, lack of power and disruption to education — economic losses are mounting. Last year, 389 healthcare institutions were successfully hit by ransomware in the United States alone. And it is predicted that by 2031, ransomware will attack a device every two seconds and collectively cost victims $265 billion per year.
To date, states have deployed a combination of strategies in response to such cyber operations, such as dialogue (including in the United Nations and between regional bodies), naming and shaming perpetrators or their state sponsors, imposing sanctions on the alleged perpetrators, or disrupting supply chains. But one avenue that has been little used so far is litigation. Few perpetrators of cyber attacks have had to answer for their actions in court.
This post explores some of the ways in which courts might provide a route for accountability for States that are the victims of cyber operations and highlights developments that will make this more viable in the future.
An Inter-State Cyber Claim before an International Court?
Inter-state litigation is increasingly popular, with nine cases filed at the ICJ between April 2023 and 2024 alone — around four times the annual average of earlier years. Two-thirds of all U.N. member states are currently engaged in proceedings before the ICJ, either as applicants, respondents, interveners or participants in Advisory Opinions. But in the cyber context, there are various reasons why a victim state may not wish to bring an inter-state case, even if they can get over the hurdle of assembling sufficient evidence to prove in court that cyber activity can be attributed to another state.
First, many states are reluctant to consent to an independent third party or court deciding on the merits of a dispute. This reluctance is amplified in the cyber context, where operations are typically conducted covertly and the evidence involved is sensitive. Second, as experts have noted, states so far have rarely characterized cyber operations against them as breaches of international law, precluding the existence of a legal “dispute.” One reason for this is that states — particularly major cyber powers — may wish to avoid limiting their own operational freedom, so they often describe cyber operations against them as “malicious” or “irresponsible” rather than “unlawful.” If a state does not consider that there has been a violation of international law — or, because of self-interest, prefers not to characterize it as such — it will not bring the matter before an international court. International litigation is also expensive and slow, so many states are likely to respond in other ways, such as by publicly attributing the cyber operation to another state, expelling diplomats, or imposing sanctions.
The lack of clarity about how international law applies in the cyber context also explains the lack of case law to date. Over 100 states (factoring in regional positions by the African Union and European Union) have published their views on this issue over the last decade. Although states’ views about how international law applies to cyberspace are starting to converge on certain issues, other issues — such as sovereignty and due diligence — remain contested. Powerful states in particular may not want to risk unexpected judgments on an issue that has significant policy implications.
But for less powerful states that are victims of malicious cyber operations, litigation could be an attractive option, especially if it results in meaningful remedies such as compensation. And states have been seeking legal advice on the merits of bringing an inter-state claim in response to cyber operations that have had significant effects on their infrastructure or population.
A new policy brief from the Oxford Institute of Technology and Justice explores this option, examining pathways for legal accountability for malicious cyber operations, including inter-state litigation before international courts and prosecution of individual perpetrators.
The brief surveys the challenges of litigation in the cyber context, including the need to gather evidence to establish the identity of the perpetrators, and whether the cyber activity can be attributed to a state under the rules on state responsibility. Cyber attribution is difficult, although techniques are improving due to strengthened international and public-private cooperation. There have been various proposals, for example by the Atlantic Council and RAND, for independent fact-finding mechanisms that could carry out attribution and, if appropriate, refer the case to the ICJ or U.N. Security Council. But these proposals — which envisage only a limited role for states — have not gained traction. More recently, there have been proposals for state-led mechanisms, such as a treaty-based fact-finding body or a mechanism that could establish standards of evidence for cyber attribution, and a list of experts that States could consult akin to the specialized panels of arbitrators and experts maintained by the Permanent Court of Arbitration in disputes on the environment or outer space. The ICJ also has fact-finding powers and can draw on expert evidence in such cases.
Another challenge in litigation related to cyber operations is establishing jurisdiction over a claim. Over 300 treaties have compromissory clauses that require a dispute involving interpretation or application of the treaty to be submitted to arbitration or the ICJ. When cyber activity interferes with air safety, subsea cables in international waters, or the inviolability of embassies, for example, there may be relevant treaties that contain such clauses. These include the Montreal Convention on the Suppression of Unlawful Acts against the Safety of Civil Aviation, the U.N. Convention on the Law of the Sea and the Optional Protocol to the Vienna Convention on Diplomatic Relations concerning the Compulsory Settlement of Disputes.
Consider, for example, a hypothetical scenario in which a state-sanctioned individual in State A launches a cyber intrusion into the air traffic control systems of State B. The cyber intrusion intentionally causes flight management systems to malfunction and the aircraft to crash, killing all on board. The Montreal Convention on the Suppression of Unlawful Acts against the Safety of Civil Aviation requires States parties to punish with “severe penalties” acts that threaten the safety of civil aviation. If State A refuses to extradite or prosecute the individual, State B may be able to bring a claim relying on the Convention, which refers disputes that cannot be settled by negotiation or arbitration to the ICJ. The Montreal Convention currently has 190 States parties, so its provisions bind most countries in the world. And many States have affirmed that “States should not knowingly allow their territory to be used for internationally wrongful acts using information and communication technologies,” as is reflected in the U.N. Norms of Responsible State Behaviour in Cyberspace adopted by the U.N. General Assembly. Under this scenario, there would be a treaty basis for the victim state to call the perpetrator state to take action against the individuals involved, and a route to an arbitral tribunal or ICJ if that state refused to do so.
It is also possible that inter-state claims concerning cyber operations will come before regional human rights courts. Under the hypothetical scenario above, if States A and B were both parties to the European Convention on Human Rights, State B could bring a case against State A before the European Court of Human Rights alleging a violation of the duty to respect the right to life and of the related duty to investigate the alleged violations if State A did not investigate the killings according to the Convention’s standards.
It would, however, be necessary to establish that State A had jurisdiction over the activities in question under Article 1 of the Convention, which will depend on the facts in question. There is no developed jurisprudence on how the concept of jurisdiction should be applied in relation to cyber operations, with the exception of some cases on surveillance (for example, Wieder and Guarnieri v U.K.). But based on an expansive trend on jurisdiction, in Strasbourg and in other human rights bodies, it is likely that at least some cyber operations will be covered.
The European Court would also need to be satisfied that the cyber activity in question can be attributed to the respondent state. In the recent cases of Ukraine and the Netherlands v. Russia and Carter v. Russia, where all or much of the relevant information was within Russia’s control but the Russian authorities did not carry out an effective investigation or seriously attempt to engage in fact-finding efforts by others, the European Court of Human Rights ruled that the burden was on Russia to show that violations did not occur and made adverse inferences due to Russia’s failure to cooperate with the court. (But cases against Russia would not be possible if the incidents happened today, because Russia ceased to be a party to the European Convention in September 2022 and the court can only deal with facts arising before that date.)
An Advisory Opinion from an international court is another possibility. Recently, there has been a flurry of requests for Advisory Opinions from the ICJ, and it is possible that we may also see one in the cyber context in due course. The number of states setting out their views on how international law applies in cyberspace continues to rise, but states’ views vary, and the legal significance of their “national positions” remains unclear. The ICJ’s views on, for example, the application of sovereignty or due diligence in the cyber context could provide clarification on key questions.
Since states create international law and are still determining how existing rules apply in the cyber context, it might be said that a legal opinion in this area would be premature. But there is some frustration about the lack of progress in discussions at the United Nations. There are also questions about whether a new Global Mechanism to Advance Responsible State Behaviour in Cyberspace, established at the U.N. in July, can lead to meaningful progress. If political dialogue and negotiation fail, it is possible that — as we have seen in the climate context (where advisory opinions have been sought recently before the ICJ, International Tribunal on the Law of the Sea, the Inter-American Court of Human Rights and the African Court of Human and People’s Rights) — some states will decide to turn to the courts.
Prosecution of Cybercrimes under Domestic and International Criminal Law
If a cyber operation can be attributed to an individual, states may also be able to prosecute that individual in domestic courts. The Budapest Convention on Cybercrime and the newly-adopted U.N. Convention against Cybercrime (due to be signed in Vietnam later this month) encourage states to criminalize certain cyber activity and to cooperate in investigating and prosecuting cybercrimes. But so far, there have been very few prosecutions, despite the vast number of cybercrimes committed worldwide.
Cybercrime investigations and prosecutions are challenging, typically involving digital evidence spread across multiple jurisdictions, and perpetrators operating covertly using an array of tactics to hide their tracks. Digital evidence can be damaged or compromised and in cyber cases can involve technically complex data such as malware logs and telemetry reports. Investigators and prosecutors also depend to a significant extent on the private sector to preserve and analyze this evidence. If perpetrators are state officials, doctrines of immunity may protect them. And perpetrators often operate from countries that refuse to extradite their nationals. For instance, the World Cybercrime Index shows that Russia is a major cybercrime hotspot but the Russian constitution prohibits the extradition of a Russian national to another state.
Still, there have been some recent successes. Prosecutions have been employed as part of a broader strategy for tackling malicious cyber activity, including sanctions, disruption operations and diplomatic initiatives such as the Counter Ransomware Initiative and Pall Mall Process. For example, Operation Cronos — an international law enforcement taskforce led by the U.K. National Crime Agency and the FBI, in coordination with Europol and Eurojust — successfully executed an international disruption campaign in 2024 against LockBit, the world’s most prolific and harmful ransomware group. The National Crime Agency assesses that this group has targeted thousands of victims globally, reportedly including the Royal Mail, the U.K. National Health Service, international law firms, aerospace companies and banks. The disruption operation involved law enforcement agencies from 10 countries working together to take control of the website and services of LockBit, compromising LockBit’s primary platform and taking down 34 servers in the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States and the United Kingdom. Two LockBit operatives were arrested in Poland and Ukraine at the request of French judicial authorities and three international arrest warrants and five indictments were issued by the French and U.S. judicial authorities. The United Kingdom, United States and Australia also jointly sanctioned a senior leader of LockBit.
In the past decade, the United States has issued indictments against individuals from Russia, China, Iran and North Korea for malicious cyber operations. While in practice most of those indicted are unlikely to be extradited from their countries of nationality, the indictments show that the United States is prepared to publicly attribute cyber activity to specific perpetrators (as, for example, in the Park Jin Hyok case, involving an alleged North Korean hacker) and can back this up with evidence. Such indictments also send a message to states sponsoring cyber activity while raising awareness among the public and private sector about such activity. Those indicted also remain at risk of extradition if they travel. In 2024, for example, Evgenii Ptitsyn, a Russian national alleged to have coordinated the distribution of Phobos ransomware as part of an international hacking and extortion conspiracy, was extradited from South Korea to stand trial in the United States.
A number of new treaties may facilitate cybercrime investigations and prosecutions in the future. The U.N. Cybercrime Convention expands the possibilities for mutual legal assistance, including access to electronic evidence. The European Union’s e-evidence framework (coming into force in 2026) and the Second Additional Protocol to the Budapest Convention on enhanced cooperation and disclosure of electronic evidence (not yet in force) will also enable states to make requests for evidence directly to private telecom or social media companies.
Civil law proceedings can also play an important role in tackling cybercrime operations. For example, in 2024 the U.S. Department of Justice obtained court authorization to gain access to ransomware networks and swipe decryption keys, disrupting a botnet that targeted more than 200,000 consumer devices, including video recorders and Wi-Fi devices, worldwide.
For the most serious cyber operations, there is another avenue to accountability which has received little attention to date — international criminal law. A draft policy by the Office of the Prosecutor of the International Criminal Court on Cyber-Enabled International Crimes under the Rome Statute, expected to be finalized in the coming months, makes clear that international crimes can be committed or facilitated by cyber means in addition to more traditional means, and that the court has the jurisdictional framework to prosecute them. The policy may also provide useful guidance for domestic courts that have the power to assert jurisdiction over international crimes.
Looking Forward
As state-sponsored cyber operations proliferate around the globe, it is likely that states will start to seek accountability through the courts. Non-state actors are already seeking justice for such harms. For example, the European Court of Justice recently held that a victim of a cyber operation against the Bulgarian National Revenue agency that affected the private data of six million people may be able to claim compensation for certain types of harm. In July 2025, the European Court of Human Rights considered an application brought by individuals alleging that the United Kingdom failed to properly investigate cyber interference in elections. And in two recent cases in the United Kingdom, individuals have successfully challenged the use of spyware by Saudi Arabia and Bahrain.
There are myriad ways in which international and domestic courts can play a role in accountability for unlawful cyber operations. And developments in evidence gathering, attribution and multi-stakeholder cooperation have created clearer pathways to legal accountability. With cyber operations becoming more pervasive and destructive, it is likely that cyber cases will soon appear on the docket as victims seek their day in court.
