Hostname: page-component-586b7cd67f-tf8b9 Total loading time: 0 Render date: 2024-11-26T23:11:16.392Z Has data issue: false hasContentIssue false

A DUE DILIGENCE STANDARD OF ATTRIBUTION IN CYBERSPACE

Published online by Cambridge University Press:  08 March 2018

Luke Chircop*
Affiliation:
Juris Doctor, Melbourne Law School, University of Melbourne, [email protected].

Abstract

The technical and legal challenges of attribution in cyberspace prevent the meaningful operation of the international law framework of State responsibility. Despite the anticipation surrounding its publication, the Tallinn Manual 2.0 went no further than its predecessor in offering a cogent legal solution to this problem. Instead, the Manual confined its analysis of attribution to the well-known provisions of the International Law Commission's Articles on State Responsibility. This article departs from the Tallinn Manual 2.0 in arguing that the due diligence principle offers a preferable and appropriate standard of attribution in cyberspace.

Type
Articles
Copyright
Copyright © British Institute of International and Comparative Law 2018 

Access options

Get access to the full version of this content by using one of the access options below. (Log in options will check for institutional or personal access. Content may require purchase if you do not have access.)

References

1 ‘Cyber operation’, as used in this article, refers to all conduct which, if attributed to a State, would constitute an internationally wrongful act.

2 Ilves, TH, ‘Foreword’ in Schmitt, MN (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017) xxiiiCrossRefGoogle Scholar.

3 Pirker, B, ‘Territorial Sovereignty and Integrity and the Challenges of Cyberspace’ in Ziolkowski, K (ed), Peacetime Regime for State Activities in Cyberspace: International Law, International Relations and Diplomacy (NATO Cooperative Cyber Defence Centre of Excellence 2013) 189, 194Google Scholar.

4 Crawford, J, State Responsibility: The General Part (Cambridge University Press 2013) 113Google Scholar.

5 Schmitt, MN (ed), Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations (Cambridge University Press 2017) 30Google Scholar (Rule 6) (Tallinn Manual 2.0); Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc A/68/98 (24 June 2013) [23] (GGE Report 2013); Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc A/70/174 (22 July 2015) [13](c), [13](f) (GGE Report 2015); Schmitt, MN, ‘In Defence of Due Diligence in Cyberspace’ (2015) 125 YaleLJ Forum 68, 6971Google Scholar.

6 Schmitt, Tallinn Manual 2.0 (n 5) 3.

7 ibid 42 (Rule 6, [44]).

8 ibid 79, 87–104 (Rule 15–18).

9 International Law Commission, Draft Articles on Responsibility of States for Internationally Wrongful Acts, with Commentaries, UN Doc A/56/10 (2001) 31 (General Commentary, [1]) (Articles on State Responsibility Commentaries). See also Schmitt, MN, ‘Grey Zones in the International Law of Cyberspace’ (2017) 42 Yale Journal of International Law Online 1, 11Google Scholar <https://campuspress.yale.edu/yjil/files/2017/08/Schmitt_Grey-Areas-in-the-International-Law-of-Cyberspace-1cab8kj.pdf>.

10 Despite this departure, this article accepts the content given to the due diligence principle in Tallinn Manual 2.0: see below Pt II.

11 See below Pt II.

12 See below Pt III(A).

13 See below Pt III(B).

14 Responsibility of States for Internationally Wrongful Acts, GA Res 56/83, UN Doc A/RES/56/83 (28 January 2002, adopted 12 December 2001) annex (Articles on State Responsibility).

15 ibid art 4; Difference Relating to Immunity from Legal Process of a Special Rapporteur of the Commission on Human Rights (Advisory Opinion) [1999] ICJ Rep 62, 87 [62].

16 Articles on State Responsibility (n 14) art 5.

17 ibid art 8.

18 Pirker (n 3) 211. See also SJ Shackelford and Andres, RB, ‘State Responsibility for Cyber Attacks: Competing Standards for a Growing Problem’ (2011) 42 GeoJIntlL 971, 984–5Google Scholar.

19 Jensen, ET and Watts, S, ‘A Cyber Duty of Due Diligence: Gentle Civilizer or Crude Destabilizer’ (2017) 95 TexLRev 1555, 1557–8Google Scholar; Huang, Z, ‘The Attribution Rules in ILC's Articles on State Responsibility: A Preliminary Assessment on Their Application to Cyber Operations’ (2014) 14 Baltic Yearbook of International Law 41, 43Google Scholar; Macak, K, ‘Decoding Article 8 of the International Law Commission's Articles on State Responsibility: Attribution of Cyber Operations by Non-State Actors’ (2016) 21 JC&SL 405, 407–8Google Scholar; Margulies, P, ‘Sovereignty and Cyber Attacks: Technology's Challenge to the Law of State Responsibility’ (2013) 14 Melbourne Journal of International Law 496, 503Google Scholar.

20 Antonopoulos, C, ‘State Responsibility in Cyber Space’ in Tsagourias, N and Buchan, R (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2015) 55, 62Google Scholar; M Pihelgas, ‘Back-Tracing and Anonymity in Cyberspace’ in Ziolkowski, Peacetime Regime for State Activities in Cyberspace (n 3) 31, 33.

21 Tsagourias, N, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (2012) 17 JC&SL 229, 233Google Scholar; Shackelford and Andres (n 18) 981–2.

22 Pirker (n 3) 212.

23 Roscini, M, ‘Evidentiary Issues in International Disputes Related to State Responsibility for Cyber Operations’ (2015) 50 TexIntlLJ 233, 234Google Scholar.

24 Huang (n 19) 42.

25 R Geiβ and H Lahmann, ‘Freedom and Security in Cyberspace: Shifting the Focus away from Military Responses towards Non-Forcible Countermeasures and Collective Threat-Prevention’ in Ziolkowski, Peacetime Regime for State Activities in Cyberspace (n 3) 621, 625. See also Kulesza, J, ‘State Responsibility for Cyber-Attacks on International Peace and Security’ (2009) 29 PolishYBIntlL 139, 147–8Google Scholar.

26 Geiβ and Lahmann (n 25) 625.

27 Schmitt, MN (ed), Tallinn Manual on the International Law Applicable to Cyber Warfare (Cambridge University Press 2013) 34Google Scholar (Rule 7) (Tallinn Manual 1.0). There is no equivalent rule replicated in Tallinn Manual 2.0. See also Antonopoulos (n 20) 62; Schmitt, MN, ‘“Below the Threshold” Cyber Operations: The Countermeasure Response Option and International Law’ (2014) 54 VaJIntlL 697, 708Google Scholar.

28 See, eg, Crawford, State Responsibility (n 4) 147–56.

29 Schmitt, ‘Grey Zones in the International Law of Cyberspace’ (n 9) 9.

30 Schmitt, MN and Vihul, L, ‘Proxy Wars in Cyberspace: The Evolving International Law of Attribution’ (2014) 1 Fletcher Security Review 55, 55Google Scholar.

31 Canfil, JK, ‘Honing Cyber Attribution: A Framework for Assessing Foreign State Complicity’ (2016) 70 JIntlAff 217, 218–19Google Scholar.

32 Foster, CE, ‘Burden of Proof in International Courts and Tribunal’ (2010) 29 AustYBIL 27, 36Google Scholar; Amerasinghe, CF, Evidence in International Litigation (Martinus Nijhoff Publishers 2005) 215Google Scholar.

33 Canfil (n 31) 218. Uncertainty over Russian involvement in the 2007 cyber attacks against Estonia, North Korean involvement in the 2014 Sony Hack, and Russian involvement in the 2016 hack of the DNC, was caused by the prominence of patriotic hacker groups in each instance: Payne, T, ‘Teaching Old Law New Tricks: Applying and Adapting State Responsibility to Cyber Operations’ (2016) 20 Lewis and Clark Law Review 683, 706Google Scholar.

34 Report of the Group of Governmental Experts on Developments in the Field of Information and Telecommunications in the Context of International Security, UN Doc A/65/201 (30 July 2010) (GGE Report 2010); GGE Report 2013 (n 5); GGE Report 2015 (n 5).

35 GGE Report 2013 (n 5) [16].

36 ibid [16]–[25]; GGE Report 2015 (n 5) [13].

37 Geneva Internet Platform, Digital Watch Newsletter: Issue 22 (30 June 2017) 1, 6 <https://dig.watch/sites/default/files/DWnewsletter22.pdf>.

38 AM Sukumar, ‘The UN GGE Failed. Is International Law in Cyberspace Doomed as Well?’ Lawfare (4 July 2017) <https://lawfareblog.com/un-gge-failed-international-law-cyberspace-doomed-well>; E Korzak, ‘UN GGE on Cybersecurity: The End of an Era?’ The Diplomat (31 July 2017) <https://thediplomat.com/2017/07/un-gge-on-cybersecurity-have-china-and-russia-just-made-cyberspace-less-safe>.

39 Geneva Internet Platform (n 37); Sukumar (n 38); Korzak (n 38).

40 Comment, Use of Force and Arms Control: State Department Legal Adviser Addresses International Law in Cyberspace’ (2013) 107 AJIL 243, 247Google Scholar; Geiβ and Lahmann (n 25) 623.

41 Geiβ and Lahmann (n 25) 623.

42 Antonopoulos (n 20) 64. See also Margulies (n 19) 501, 515.

43 Pulp Mills on the River Uruguay (Argentina v Uruguay) (Judgment) [2010] ICJ Rep 14, 71 [162] (Pulp Mills); Articles on State Responsibility Commentaries (n 9) 72 (Circumstances Precluding Wrongfulness, [8]); Roscini, ‘Evidentiary Issues in International Disputes’ (n 23) 243.

44 Schmitt, Tallinn Manual 1.0 (n 27) 36 (Rule 8, [1]).

45 Geiβ and Lahmann (n 25) 628; Roscini, ‘Evidentiary Issues in International Disputes’ (n 23) 248.

46 Geiβ and Lahmann (n 25) 628 n 43. Similarly, the DDoS attacks against Estonia in 2007 emanated from computers in Russia, as well as the United States, Canada, Europe, Brazil, Vietnam, and other countries: Roscini, ‘Evidentiary Issues in International Disputes’ (n 23) 248.

47 Roscini, ‘Evidentiary Issues in International Disputes’ (n 23) 251. See also Waxman, MC, ‘The Use of Force against States that Might Have Weapons of Mass Destruction’ (2009) 31 MichJIntlL 1, 62Google Scholar.

48 Roscini, ‘Evidentiary Issues in International Disputes’ (n 23) 251.

49 ibid.

50 Teitelbaum, R, ‘Recent Fact-Finding Developments at the International Court of Justice’ (2007) 6 The Law and Practice of International Courts and Tribunals 119, 125–6CrossRefGoogle Scholar; Roscini, ‘Evidentiary Issues in International Disputes’ (n 23) 250; Crawford, J, Brownlie's Principles of Public International Law (8th edn, Oxford University Press 2012) 38, 41Google Scholar.

51 See below Pt IV(A)(2).

52 Corfu Channel (United Kingdom v Albania) (Judgment) [1949] ICJ Rep 4, 22 (Corfu Channel).

53 International Law Association, ‘ILA Study Group on Due Diligence in International Law’ (First Report, ILA, 7 March 2014).

54 Schmitt, ‘In Defence of Due Diligence in Cyberspace’ (n 5) 73.

55 This article departs from the treatment of due diligence in the Tallinn Manual 2.0 only insofar as the Manual overlooks or rejects that attribution is an appropriate consequence of the principle's violation: Schmitt, Tallinn Manual 2.0 (n 5) 42 (Rule 6, [44]).

56 ibid 40 (Rule 6, [37]), 41 (Rule 6, [39]).

57 See, eg, Corfu Channel (n 52) 22.

58 Schmitt, Tallinn Manual 2.0 (n 5) 42 (Rule 6, [42]). See also Bannelier-Christakis, K, ‘Cyber Diligence: A Low-Intensity Due Diligence Principle for Low-Intensity Cyber Operations?’ (2014) 14 Baltic Yearbook of International Law 23, 30Google Scholar.

59 Schmitt, Tallinn Manual 2.0 (n 5) 41 (Rule 6, [40]).

60 ibid.

61 ibid 36 (Rule 6, [25]). See also Schmitt, ‘Grey Zones in the International Law of Cyberspace’ (n 9) 11–12. This mirrors ambiguity under international environmental law concerning the threshold of harm that will enliven a State's due diligence obligation in that context: International Law Commission, Draft Articles on Prevention of Transboundary Harm from Hazardous Activities, with Commentaries, UN Doc A/56/10 (2001) 152–3 (art 2, [4]–[7]); Bunnée, J, ‘Sic Utere Tuo Ut Alienum Non Laedas’, Max Planck Encyclopaedia of Public International Law (Oxford University Press, March 2010) [12]Google Scholar.

62 Schmitt, Tallinn Manual 2.0 (n 5) 34–6 (Rule 6, [15]–[24]).

63 ibid 36–9 (Rule 6, [25]–[31]). The IGE of the Tallinn Manual 2.0 were unable to identify a ‘bright line threshold’ for the identification of such consequences.

64 ibid 37 (Rule 6, [26]–[27]), 168 (Rule 32).

65 See Schmitt, ‘In Defence of Due Diligence in Cyberspace’ (n 5) 74–5.

66 Schmitt, Tallinn Manual 2.0 (n 5) 47 (Rule 7, [16]).

67 ibid 47 (Rule 7, [17]).

68 ibid 49 (Rule 7, [24]). See also Bannelier-Christakis (n 58) 32–4.

69 Schmitt, Tallinn Manual 2.0 (n 5) 49–50 (Rule 7, [25]).

70 JP Barlow, A Declaration of the Independence of Cyberspace (8 February 1996) Electronic Frontier Foundation <https://www.eff.org/cyberspace-independence>.

71 GGE Report 2013 (n 5) [16]; GGE Report 2015 (n 5) [1]; Schmitt, Tallinn Manual 2.0 (n 5) 11 (Rule 1, [1]); Macak (n 19) 406; Margulies (n 19) 505; Pirker (n 3) 193–4; von Heinegg, WH, ‘Legal Implications of Territorial Sovereignty in Cyberspace’ in Czosseck, C, Ottis, R and Ziolkowski, K (eds), 4th International Conference on Cyber Conflict (NATO Cooperative Cyber Defence Centre of Excellence 2012) 7Google Scholar.

72 Antonopoulos (n 20) 57.

73 Kulesza (n 25) 142.

74 Payne (n 33) 685.

75 Comment (n 40) 247.

76 GGE Report 2010 (n 34); GGE Report 2013 (n 5); GGE Report 2015 (n 5).

77 Schmitt, Tallinn Manual 1.0 (n 27); Schmitt, Tallinn Manual 2.0 (n 5).

78 See, eg, Antonopoulos (n 20) 56 (Estonia 2007); Schmitt and Vihul (n 30) 55 (Agent.btz 2008); Messerschmidt, JE, ‘Hackback: Permitting Retaliatory Hacking by Non-State Actors as Proportionate Countermeasures to Transboundary Cyberharm’ (2013) 52 ColumJTransnatlL 275, 276Google Scholar (DDoS attacks against the US and South Korea 2009); Brown, G and Poellet, K, ‘The Customary International Law of Cyberspace’ (2012) 6(3) Strategic Studies Quarterly 126, 131Google Scholar (Stuxnet 2010 and Google Hack 2010); Roscini, M, ‘Cyber Operations as a Use of Force’ in Tsagourias, N and Buchnan, R (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2015) 233, 244Google Scholar (Saudi Aramco Hack 2012); Geiβ and Lahmann (n 25) 637 (US Department of Defense Hack 2012); Payne (n 33) 684 (Sony Hack 2014); E Nakashima, ‘Chinese Breach Data of 4 Million Federal Workers’ The Washington Post (4 June 2015) <https://www.washingtonpost.com> (US Office of Personnel Management Hack 2014); D Hollis, ‘Russia and the DNC Hack: What Future for a Duty of Non-Intervention’ Opinio Juris (25 June 2016) <http://opiniojuris.org/2016/07/25/russia-and-the-dnc-hack-a-violation-of-the-duty-of-non-intervention> (DNC Hack 2016).

79 Schmitt, Tallinn Manual 2.0 (n 5) 111 (Rule 20), 116 (Rule 21), 122–3 (Rule 22), 127 (Rule 23).

80 ibid 50 (Rule 7, [28]).

81 This article assumes that countermeasures are an effective means for promoting peace and security. For a contrary view, that increased recourse to countermeasures might have a destabilizing effect on the international community, see Jensen and Watts (n 19) 1568–75.

82 Articles on State Responsibility Commentaries (n 9) 75 (art 22, [1]); Schmitt, Tallinn Manual 2.0 (n 5) 111 (Rule 20, [1]); Gabcíkovo-Nagymaros Project (Hungary v Slovakia) (Judgment) [1997] ICJ Rep 7, 55 [83] (Gabcíkovo-Nagymaros).

83 See, eg, Schmitt, ‘“Below the Threshold” Cyber Operations’ (n 27); Tsagourias, N, ‘The Law Applicable to Countermeasures against Low-Intensity Cyber Operations’ (2014) 14 Baltic Yearbook of International Law 105Google Scholar.

84 Articles on State Responsibility (n 14) art 49(1); Schmitt, Tallinn Manual 2.0 (n 5) 116 (Rule 21).

85 Articles on State Responsibility (n 14) art 51; Schmitt, Tallinn Manual 2.0 (n 5) 127 (Rule 23); Gabcíkovo-Nagymaros (n 82) 56 [85].

86 Articles on State Responsibility Commentaries (n 9) 130 (art 49, [1]).

87 ibid 130 (art 49, [3]); Schmitt, Tallinn Manual 2.0 (n 5) 113 (Rule 20, [6]–[7]). Countermeasures may, however, ‘incidentally affect’ non-State actors: Articles on State Responsibility Commentaries (n 9) 130 (art 49, [5]).

88 Gabcíkovo-Nagymaros (n 82) 55 [83].

89 Schmitt, MN and Pitts, MC, ‘Cyber Countermeasures and Effects on Third Parties: The International Legal Regime’ (2014) 14 Baltic Yearbook of International Law 1, 8Google Scholar.

90 Schmitt, Tallinn Manual 2.0 (n 5) 49 (Rule 7, [24]).

91 Schmitt, ‘In Defence of Due Diligence in Cyberspace’ (n 5) 79; M Schmitt, ‘Cyber Responses “By the Numbers” in International Law’ EJIL: Talk! (4 August 2015) <https://www.ejiltalk.org/cyber-responses-by-the-numbers-in-international-law>; M Schmitt, ‘International Law and Cyber Attacks: Sony v North Korea’ Just Security (17 December 2014) <https://perma.cc/NE6S-NMH8>.

92 See, eg, Schmitt, Tallinn Manual 2.0 (n 5) 17 (Rule 4), 312 (Rule 66), 329 (Rule 68).

93 ibid 117 (Rule 21, [3]).

94 Articles on State Responsibility (n 14) art 51; Schmitt, Tallinn Manual 2.0 (n 5) 127 (Rule 23).

95 Articles on State Responsibility Commentaries (n 9) 135 (art 51, [7]).

96 Schmitt, Tallinn Manual 2.0 (n 5) 130 (Rule 23, [11]); Schmitt, ‘“Below the Threshold” Cyber Operations’ (n 27) 709.

97 Charter of the United Nations art 51; Articles on State Responsibility (n 14) art 21; Schmitt, Tallinn Manual 2.0 (n 5) 339 (Rule 71).

98 The first edition of the Tallinn Manual was entirely directed towards articulating the international law regulating the conduct of armed conflict, encompassing both the jus ad bellum and jus in bello: Schmitt, Tallinn Manual 1.0 (n 27) 4. See also Tsagourias, ‘The Law Applicable to Countermeasures’ (n 83) 114–15; Geiβ and Lahmann (n 25) 621–3.

99 Military and Paramilitary Activities in and Against Nicaragua (Nicaragua v United States of America) (Judgment) [1986] ICJ Rep 14, 103–4 [195] (Nicaragua); Schmitt, Tallinn Manual 2.0 (n 5) 341 (Rule 71, [7]).

100 See generally, on the application of the plea of necessity in cyberspace, Schaller, C, ‘Beyond Self-Defense and Countermeasures: A Critical Assessment of the Tallinn Manual's Conception of Necessity’ (2017) 95 TexLRev 1619Google Scholar; Schmitt, MN, ‘Peacetime Cyber Responses and Wartime Cyber Operations under International Law: An Analytical Vade Mecum’ (2017) 8 Harvard National Security Journal 239, 251–3Google Scholar; Henriksen, A, ‘Lawful State Responses to Low-Level Cyber-Attacks’ (2015) 84 NordicJIntlL 323, 348–50Google Scholar; Schmitt, ‘“Below the Threshold” Cyber Operations’ (n 27) 702–3.

101 Articles on State Responsibility Commentaries (n 9) 80 (art 25, [2]); Schmitt, Tallinn Manual 2.0 (n 5) 137 (Rule 26, [9]).

102 Articles on State Responsibility Commentaries (n 9) 80 (art 25, [2]); Schmitt, Tallinn Manual 2.0 (n 5) 137–8 (Rule 26, [10]–[11]).

103 Articles on State Responsibility (n 14) art 25; Schmitt, Tallinn Manual 2.0 (n 5) 135 (Rule 26). See also Articles on State Responsibility Commentaries (n 9) 81 (art 25, [5]).

104 Schmitt, ‘“Below the Threshold” Cyber Operations’ (n 27) 698.

105 ibid.

106 Bannelier-Christakis (n 58) 23.

107 Antonopoulos (n 20) 58.

108 Articles on State Responsibility Commentaries (n 9) 34 (art 2, [3]).

109 Koivurova, T, ‘Due DiligenceMax Planck Encyclopaedia of Public International Law (Oxford University Press, February 2010) [4]Google Scholar.

110 ibid [5]; Heathcote, S, ‘State Omissions and Due Diligence: Aspects of Fault, Damage and Contribution to Injury in the Law of State Responsibility’ in Bannelier, K, Christakis, T and Heathcote, S (eds), The ICJ and the Evolution of International Law: The Enduring Impact of the Corfu Channel Case (Routledge 2012) 295, 302Google Scholar.

111 Koivurova (n 109) [5].

112 Ibid [6]; Heathcote (n 110) 303–4. See also Articles on State Responsibility Commentaries (n 9) 31 (General Commentary, [1], [4]), 34–5 (art 2, [3]).

113 British Institute of International and Comparative Law, ‘State Responsibility for Cyber Operations: International Law Issues’ (Event Report, London, 9 October 2014) 4.

114 Articles on State Responsibility (n 14) art 8.

115 Articles on State Responsibility Commentaries (n 9) 47 (art 8, [4]).

116 Nicaragua (n 99) 50 [86].

117 Koivurova (n 109) [27].

118 Antonopoulos (n 20) 58.

119 Shaw, MN, International Law (7th edn, Cambridge University Press 2014) 52Google Scholar.

120 Articles on State Responsibility Commentaries (n 9) 31 (General Commentaries, [1]); Huang (n 19) 44.

121 Margulies (n 19) 509; Caron, DD, ‘The ILC Articles on State Responsibility: The Paradoxical Relationship between Form and Authority’ (2002) 96 AJIL 857, 861CrossRefGoogle Scholar.

122 Application of the Convention on the Prevention and Punishment of the Crime of Genocide (Bosnia and Herzegovina v Serbia and Montenegro) (Judgment) [2007] ICJ Rep 43, 206–11 [396]–[407].

123 Margulies (n 19) 509.

124 Articles on State Responsibility (n 14) art 55.

125 International Law Commission, Conclusions of the Work of the Study Group on Fragmentation of International Law: Difficulties Arising from the Diversification and Expansion of International Law, UN Doc A/61/10 (2006) [5].

126 Articles on State Responsibility Commentaries (n 9) 140 (art 55, [3]). The ILC provide the example of a treaty excluding a State from relying on force majeure or necessity, but leaving unchanged other circumstances precluding wrongfulness. Another example is art 91 of Additional Protocol I to the Geneva Conventions, which regulates State responsibility for acts committed during armed conflict but not peacetime: Protocol Additional to the Geneva Conventions of 12 August 1949, and Relating to the Protection of Victims of International Armed Conflicts (Protocol I), opened for signature 8 June 1977, 1125 UNTS 3 (entered into force 7 December 1978) art 91.

127 The norm ‘inconsistency’ for lex specialis to resolve, in such a case, would be between a due diligence standard of attribution (which clearly contemplates responsibility for the conduct of non-State actors), and the general principle that the only conduct attributable to States is that of its organs or agents: Articles on State Responsibility Commentaries (n 9) 38 (Attribution of Conduct to a State, [2]).

128 Huang (n 19) 45.

129 See above Pt I(A).

130 Huang (n 19) 45.

131 Statute of the International Court of Justice arts 38(1)(d), 59.

132 Crawford, Brownlie's Principles of Public International Law (n 50) 78.

133 Corfu Channel (n 52) 22.

134 ibid 15.

135 ibid 15–16.

136 ibid 22–3.

137 ‘Memorial Submitted by the Government of the United Kingdom of Great Britain and Northern Ireland’, Corfu Channel (United Kingdom v Albania) [1947] ICJ Pleadings 19, 21 [4], 48 [94].

138 Some scholars have likened ‘complicity’ to the ‘aid or assistance’ standard of attribution codified in art 16 of the Articles on State Responsibility: Corten, O and Klein, P, ‘The Limits of Complicity as a Ground for Responsibility: Lessons Learned from the Corfu Channel Case’ in Bannelier, K, Christakis, T and Heathcote, S (eds), The ICJ and the Evolution of International Law: The Enduring Impact of the Corfu Channel Case (Routledge 2012) 315, 315, 332Google Scholar. However, in expanding upon the article's scope, the ILC at no point drew upon the Corfu Channel decision, nor made reference to ‘complicity’ or ‘connivance’: Articles on State Responsibility Commentaries (n 9) 65–7 (art 16, [1]–[11]).

139 Corfu Channel (n 52) 16–17.

140 Declaration on Principles of International Law Concerning Friendly Relations and Co-operation Among States in Accordance with the Charter of the United Nations, UN Doc A/RES/25/2625 (24 October 1970) annex, [1] (Friendly Relations Declaration); Armed Activities on the Territory of the Congo (Democratic Republic of the Congo v Uganda) (Judgment) [2005] ICJ Rep 168, 226–7 [162] (Armed Activities).

141 Armed Activities (n 140) 262 [277], 268 [300].

142 ibid 268 [301].

143 ibid 269 [304].

144 Tsagourias, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (n 21) 243; Tsagourias, ‘The Law Applicable to Countermeasures’ (n 83) 113–14; Focarelli, C, ‘Self-Defence in Cyberspace’ in Tsagourias, N and Buchnan, R (eds), Research Handbook on International Law and Cyberspace (Edward Elgar 2015) 255, 278Google Scholar.

145 Friendly Relations Declaration (n 140) [1].

146 Statute of the International Court of Justice art 38(1)(b); North Sea Continental Shelf (Federal Republic of Germany v Denmark) (Merits) [1969] ICJ Rep 3, 43 [74] (North Sea Continental Shelf); Nicaragua (n 99) 97–8 [184], 98 [186].

147 Charter of the United Nations art 51; Nicaragua (n 99) 94 [176].

148 Shaw (n 119) 823; Crawford, Brownlie's Principles of Public International Law (n 50) 771.

149 See, eg, Focarelli (n 144) 276–7; Tsagourias, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (n 21) 243; Tsagourias, ‘The Law Applicable to Countermeasures’ (n 83) 113; Margulies (n 19) 509.

150 Tsagourias, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (n 21) 242–3.

151 SC Res 1368, UN Doc S/RES/1386 (12 September 2001) (SC Res 1368); SC Res 1373, UN Doc S/RES/1373 (28 September 2001) (SC Res 1373). But see Huang (n 19) 51–3; N Jupillat, ‘Armed Attacks in Cyberspace: The Unseen Threat to Peace and Security that Redefines the Law of State Responsibility’ (2015) 92 UDetMercyLRev 115, 122–4.

152 Focarelli (n 144) 277–8 nn 152–3.

153 ibid 276–7.

154 J Brunnée and SJ Toope, ‘Self-Defense against Non-State Actors: Are Powerful States Willing but Unable to Change International Law?’ (2018) ICLQ (forthcoming) 8–10; British Institute of International and Comparative Law (n 113) 5.

155 A Banerjee, ‘Indian Surgical Strikes: Accelerating the Emergence of Nascent Norms of Use of Force against Non-State Actors’ Cambridge International Law Journal Blog (6 September 2017) <http://cilj.co.uk/2017/09/06/indian-surgical-strikes-accelerating-the-emergence-of-nascent-norms-of-use-of-force-against-non-state-actors>.

156 See especially Measures to Eliminate International Terrorism, GA Res 49/60, UN Doc A/RES/49/60 (9 December 1994); SC Res 1267, UN Doc S/RES/1267 (15 October 1999); SC Res 1333, UN Doc S/RES/1333 (19 December 2000); SC Res 1368 (n 151); SC Res 1373 (n 151).

157 Support for this doctrine is not uncontroversial though: see generally Brunnée and Toope (n 154).

158 Geiβ and Lahmann (n 25) 639.

159 ibid.

160 ibid; Tams, CJ, ‘The Use of Force against Terrorists’ (2009) 20 EJIL 359, 384Google Scholar.

161 Geiβ and Lahmann (n 25) 639; Tams (n 160) 385; Sklerov, MJ, ‘Solving the Dilemma of State Responses to Cyberattacks: A Justification for the Use of Active Defenses Against States who Neglect their Duty to Prevent’ (2009) 201 MilLRev 1, 12–13, 38–9Google Scholar; Tsagourias, ‘The Law Applicable to Countermeasures’ (n 83) 113–14; Tsagourias, ‘Cyber Attacks, Self-Defence and the Problem of Attribution’ (n 21) 243.

162 Legal Consequences of the Construction of a Wall in the Occupied Palestinian Territory (Advisory Opinion) [2004] ICJ Rep 136, 194 [139]. See also Nicaragua (n 99) 105 [200]; Tams (n 160) 363–4.

163 Tams (n 160) 385.

164 Nicaragua (n 99) 103 [194]; Oil Platforms (Iran v United States of America) (Judgment) [2003] ICJ Rep 61, 183 [43]; Armed Activities (n 140) 223 [147].

165 SC Res 1373 (n 151) [2](g).

166 Focarelli (n 144) 280.

167 Convention on Cybercrime, opened for signature 23 November 2001, ETS No 185 (entered into force 1 July 2004) (Cybercrime Convention).

168 Statute of the International Court of Justice art 38(1)(a).

169 Shaw (n 119) 58; Crawford, Brownlie's Principles of Public International Law (n 50) 24.

170 Cybercrime Convention (n 167) arts 4–5.

171 ibid art 13.

172 Geiβ and Lahmann (n 25) 654.

173 Pulp Mills (n 43) 79 [197].

174 Council of Europe Treaty Office, Chart of Signatures and Ratifications of Treaty No 185: Convention on Cybercrime (11 June 2017) <http://www.coe.int/en/web/conventions/full-list/-/conventions/treaty/185/signatures>.

175 Combatting the Criminal Misuse of Information Technologies, GA Res 55/63, UN Doc A/RES/55/63 (22 January 2001) [1](a).

176 See above Pt I(A).

177 GGE Report 2013 (n 5) [23].

178 ibid.

179 GGE Report 2015 (n 5) [13](b).

180 ibid [13](f).

181 ibid.

182 ibid [13](c).

183 ibid [13]. See also GGE Report 2013 (n 5) [16].

184 Developments in the Field of Information and Telecommunications in the Context of International Security, GA Res 66/24, UN Doc A/RES/66/24 (2 December 2011) [4] (GA Res 66/24); Developments in the Field of Information and Telecommunications in the Context of International Security, GA Res 68/243, UN Doc A/RES/68/243 (27 December 2013) [4] (GA Res 68/243). The 2013 GGE included representatives from 15 States. The 2015 GGE included representatives from 20 States (10 of which were not represented in 2013). On the impact of codification efforts on customary law generally: Treves, T, ‘Customary International Law’, Max Planck Encyclopaedia of Public International Law (Oxford University Press, November 2006)Google Scholar [68]–[71].

185 GA Res 66/24 (n 184); GA Res 68/243 (n 184); Developments in the Field of Information and Telecommunications in the Context of International Security, GA Res 70/273, UN Doc A/RES/70/237 (23 December 2015).

186 North Atlantic Treaty Organisation, World Summit Declaration (5 September 2014) [72].

187 Treves (n 184) [62].

188 Schmitt, Tallinn Manual 2.0 (n 5) 5–6.

189 ibid 2–3.

190 ibid 30–50 (Rule 6–7). But see above Pt I(A) for the extent to which the principle discussed in this article departs from the one formulated in Tallinn Manual 2.0.

191 Shackelford and Andres (n 18) 985.

192 Messerschmidt (n 78) 288–9.

193 Brown and Poellet (n 78) 131–2.

194 ‘North Korean Website Back Online after Shutdown’ The Times (22 December 2014) <http://www.nola.com/science/index.ssf/2014/12/north_korean_websites_back_onl.html>.

195 Payne (n 33) 684.

196 D Alperovitch, ‘Bears in the Midst: Intrusion into the Democratic National Committee’, CrowdStrike (15 June 2016) <https://www.crowdstrike.com/blog>; ‘Rebooting Watergate: Tapping Into the Democratic National Committee’, ThreatConnect (17 June 2016) <https://www.threatconnect.com/blog/tapping-into-democratic-national-committee>; M Buratowski, ‘Findings From Analysis of DNC Intrusion Malware’, Fidelis Cybersecurity (20 June 2016) <https://www.fidelissecurity.com/threatgeek>. See generally Ohlin, JD, ‘Did Russian Cyber Interference in the 2016 Election Violate International Law’ (2017) 95 TexLRev 1579Google Scholar.

197 Banks, W, ‘State Responsibility and Attribution of Cyber Intrusions after Tallinn 2.0’ (2017) 95 TexLRev 1487, 1488–91Google Scholar.

198 North Sea Continental Shelf (n 146) 43 [74].

199 See K Geer et al., World War C: Understanding Nation-State Motives behind Today's Advanced Cyber Attacks (Fire Eye, 2014).

200 See, eg, Estonia 2007 (Russia); Georgia 2007 (Russia); Agent.btz 2008 (Unites States and Russia); DDoS attacks against the US and South Korea 2009 (United States); Stuxnet 2010 (United States); Google Hack 2010 (China); US Department of Defense Hack 2012 (United States); Sony Hack 2014 (United States); US Office of Personnel Management Hack 2014 (United States and China); DNC Hack 2016 (United States and Russia).

201 Shaw (n 119) 55–6; Crawford, Brownlie's Principles of Public International Law (n 50) 24; Treves (n 184) [24].

202 Cheng, B, Studies in International Space (Oxford University Press 1997) 125–49Google Scholar.

203 Ilves (n 2) xxiv.