Authors: Sharngan Aravindakshan
This paper notes the increasing prevalence of cyberattacks on the international plane and identifies the shortcomings of “public attribution” or “naming-and-shaming”, the tool currently being used by nation states to publicly call out perpetrator-states (including non-state actors) to both punish as well as deter future cyberattacks. The paper points to a need for legally proving attribution in international law as a pre-requisite to receiving any form of redressal or reparations. The paper then examines the current standards and methods of proof in international law and attempts to cull out the nature and amount of evidence required for a state to prove responsibility for a cyberattack in an international legal forum. It concludes that circumstantial evidence is currently the most viable way of proving state responsibility for a cyber operation including cyberattacks and then contextually examines this in the backdrop of the recent malicious cyber incident at India’s nuclear power plant in Kudankulam.
For a while now, scholarly discussions on cyber-attacks have centered around the challenges in attributing any cyber-attack to a nation-state. This is with good reason and no one explains these reasons better than Joel Brenner who observed that “the Internet is one big masquerade ball. You can hide behind aliases, you can hide behind proxy servers, and you can surreptitiously enslave other computers without their owners’ knowledge— and then use their computers to do your dirty work.”Footnote 1
Cyberspace presents a vast array of tools for concealment and disguise. Today, any person can impersonate another computing system (IP spoofing)Footnote 2, anonymize communication through layers of encryption (onion routing)Footnote 3 and even prevent reverse engineering and deliver untraceable code (obfuscating log files)Footnote 4. These are merely a few techniques among several that enable actors to commit malicious cyber acts with impunity, including nation states.
However, while these issues do make it difficult for public attribution, i.e., a government publicly calling out the perpetrator-state, they present an even larger challenge to the victim state legally proving its claims in an international judicial forum. After all, the next step to identifying the perpetrator is claiming remedies and this can only be done once the victim State is able to prove its claims in accordance with evidentiary standards in international law.
Given that states now accept that international law applies to cyberspaceFootnote 5, this article first discusses the limitations in public attribution and highlights the need for using legal fora for redressal in cases involving cyber-attacks. This is followed by an examination of the existing requirements and treatment of evidence in international law for international wrongs and teases out the evidentiary thresholds that states will be required to meet to show an international wrong in cyberspace. The article concludes that while it is likely that international judicial forums will not relax standards of proof to accommodate the obvious cyber-challenges, circumstantial evidence is available as a potentially viable route to prove a violation. Since state to state disputes have been more commonly addressed in the International Court of Justice (“ICJ / Court”), this article will rely on the standards used by the ICJ, while also pointing out a few decisions by other international judicial forums as well.
To be clear, the article primarily deals with standards of proof and methods of proof, both of which must be distinguished from rules of attribution in international law. While the standard of proof deals with the quantum of evidence required to prove a claim, rules of attribution deal with the level of control exercised by the State over a non-state actor that caused the violation.Footnote 6 These rules of attribution primarily find their source in Article 8 of the Articles of Responsibility of States in Internationally Wrongful ActsFootnote 7 (“Articles of State Responsibility”) as well as the extremely strict “effective control” test formulated by the ICJ in Nicaragua v. United States (“Nicaragua”) and the slightly lower standard of “overall control” formulated by the International Criminal Tribunal for the former Yugoslavia in Prosecutor v. Tadic (“Tadic”). In the cyber domain, new tests are being proposed such as the “control and capabilities” test which is supposedly based on recent state practice in public attribution of cyber-attacks and is one that has an even lower threshold than the overall control test.Footnote 8 While a discussion on these evolving tests is certainly important in the cyber domain, it is worthwhile to point out that these tests of attribution should not be conflated with the standards of proof that states’ evidence must meet to prove their claims.
Citation: Aravindakshan, S. Cyberattacks: a look at evidentiary thresholds in International Law. Indian Journal of International Law (2020). https://doi.org/10.1007/s40901-020-00113-0