Earlier this week, the U.S. Department of Justice unsealed an indictment accusing two men linked to China’s Ministry of State Security of a decade-long campaign of hacking dissidents, human rights activists, and a variety of private sector targets, including most recently entities working on COVID-19 treatments, tests, and vaccines. This cyberattack attribution follows on the heels of last week’s joint U.K., U.S., and Canadian advisory accusing Russian intelligence services of targeting COVID-19 vaccine development “with the intention of stealing information and intellectual property.” Both are part of an uptick in governmental attributions of state-sponsored cyberattacks over the last few years, including internationally coordinated attributions of the WannaCry attack to North Korea, the NotPetya attack to Russia, and October 2019 cyberattacks on Georgia to Russia.

But the relationship of these and other cyberattack attributions to international law is not well understood.

Attributions interact with international law in at least in two ways. First, cyberattack attribution announcements could explicitly say that particular cyberattacks violate international law. To date, however, attributions do not typically call out cyberattacks as international law violations. At most, they characterize cyberattacks as violations of international norms. In a press conference on the latest attribution, for example, Assistant Attorney General John Demers alleged, “state-sponsored theft of intellectual property and knowingly providing . . . safe havens for cyber criminals . . . run afoul of norms of acceptable state behavior in cyberspace.” Although this may represent a missed opportunity to clarify the primary legal rules for state behavior in cyberspace (that is, what states can and can’t do), attributions can influence international law in another way that’s less obvious but equally important. Cyberattack attributions can foster agreement on secondary international law rules about how to accuse states of cyberattacks—should states have to give evidence to support cyberattack attributions or not?

In a new article, I argue that states should establish a customary international law requirement that governments that make public attributions of cyberattacks to other states must provide enough evidence to enable crosschecking or corroboration of their attributions. Let me explain why.

States and commentators have been working for more than a decade to establish norms of responsible behavior and to clarify how existing rules of CIL apply in cyberspace. Reports from the U.N. Group of Governmental Experts, speeches by government officials, and scholarly efforts like the Tallinn Manual have all contributed to this project. But fundamentally, the process of creating customary international law requires the application of law to facts. In the murky world of cyberoperations, facts about state behavior have been hard to come by. Cyberattack victims and the principal perpetrators may be the only entities that know an attack has occurred (and sometimes victims may not realize they have suffered an attack), victims may keep mum about attacks, attacking states usually don’t publicize their actions, and identifying particular perpetrators is technically challenging. Public attributions of state-sponsored cyberattacks have become one of the best sources of information the public has about state behavior in cyberspace.

Understanding state behavior matters because it is one of two components of customary international law, which requires (1) general and consistent state practice that is (2) undertaken out of a sense of legal obligation (opinio juris). Because attributions feed into the assessment of state practice for setting the primary rules of state behavior—the rules about what states can and can’t do—it’s important that they are accurate. One way to ensure accuracy and also improve public acceptance of attributions is to provide evidence to support the accusations. This argument is familiar from other contexts. Think of administrative agency records compiled and publicly disclosed to support rulemaking. Transparency and reason-giving strengthen the legitimacy and accuracy of agency action by allowing for public contestation.

To ensure the accuracy and credibility of cyberattack attributions, I argue in the article that states publicly attributing cyberattacks to other states should provide sufficient evidence to enable cross-checking and corroboration of the attribution by other states, private companies, and academic researchers. There are significant attribution capabilities outside governments that can help to confirm (or refute) government accusations. Some of the most significant attributions in recent years, including Russia’s 2016 hacking of the Democratic National Committee, have come first from the private sector and later been confirmed by governments.

To be sure, some states and other constituencies may credit even unsupported attributions, such as those made by their allies. But such “trust us” attributions are unlikely to fully persuade anyone besides close allies. Building broader coalitions to accept attributions and ultimately condemn the underlying cyberattacks will require greater transparency.

States that make public cyberattack attributions have already gone some way toward providing evidence. The amount of evidence disclosed has generally increased over time since the initial thinly supported attribution of the Sony Pictures hack to North Korea. The amount of evidence that the United States provides also tends to vary by the format in which the attribution is made—Department of Homeland Security technical alerts include more detail than press releases, and indictments are usually somewhere in between. Often the United States rolls out multiple attribution mechanisms over time. In the 2016 election interference case, for example, the United States initially attributed the attack to Russia in October 2016 in a joint statement from the Department of Homeland Security and Office of the Director of National Intelligence, and followed up later with sanctions against Russia’s Federal Security Service (FSB), Main Intelligence Directorate (GRU), and individual GRU officers, among others. Then in July 2018, Special Counsel Robert Mueller released an indictment charging individual GRU officers with hacking election-related targets.

But even as states provide some evidence to support their attributions, they have taken the position that they give evidence purely as a matter of policy, not due to a legal requirement. Then-State Department Legal Adviser Brian Egan explained in a 2016 speech,

[D]espite the suggestion by some States to the contrary, there is no international legal obligation to reveal evidence on which attribution is based prior to taking appropriate action. There may, of course, be political pressure to do so, and States may choose to reveal such evidence to convince other States to join them in condemnation, for example.  But that is a policy choice—it is not compelled by international law.

In a 2018 speech, U.K. Attorney General Jeremy Wright agreed, stating “[t]here is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based.” France and the Netherlands have taken similar positions. In other words, although state practice might now support at least some evidence-giving, opinio juris is lacking. That can and should change.

States considering cyberattack attributions shouldn’t discount the potentially potent combination of attributions and disinformation campaigns. Establishing a norm of evidence-free attributions invites ill-substantiated, mistaken, and even deliberately false accusations that will be difficult for accused states to refute. That could be highly problematic for particular states faced with specific accusations, and more broadly, inaccurate-but-difficult-to-refute attributions also risk causing confusion about state practice in cyberspace. Mistaken or deliberately false attributions could be used to claim that states believe certain actions to be permissible, which could distort or corrupt attempts to establish norms of responsible behavior or rules of customary international law for states in cyberspace.

Establishing a new customary international law rule to require evidence-giving to support attributions will require states to overcome some hesitancy about revealing sources and methods used to secure intelligence information. On the other hand, for states already engaged in making attributions, recognizing evidence-giving as a legal rule rather than just a policy choice would require more of a change in legal conception than a shift in behavior. States making attributions already give some evidence, sometimes quite a bit, and attributions by companies and academic institutes show that government sources and methods are not always necessary to make attributions. States already engaged in public attributions have an opportunity to use their first-mover advantage to set a standard for evidence-giving that could be similar to their existing practice. The process for doing so is straightforward. If a few states with significant cyberattack capabilities or high-profile victim states were to adopt and begin advocating for an evidentiary standard, they could start the ball rolling on setting a norm in favor of evidence giving that could harden over time into a customary international law rule that states entering the attribution business later would have to meet.

As explained in the article, international law rules on evidence-giving to support accusations are not well settled even in more conventional contexts, like the use of force in self-defense. If a specific evidentiary rule can be established in the cyberattack attribution context, that rule could eventually morph into a more generally applicable rule of customary international law. But for now, the interplay between cyberattack attributions and the still unsettled rules for state behavior in cyberspace make establishing an evidentiary standard in the cyberattack context an important first step.


Photo credit: Operations at U.S. Army Cyber Command (ARCYBER) headquarters, Fort Belvoir, Va., May 15, 2019. (Photo by Bill Roche)