Introduction
Cyber warfare is an extension of policy by actions taken in cyberspace by state or non-state actors that either constitute a serious threat to a nation’s security or are conducted in response to a perceived threat against a nation’s security. It is mainly an internet-based conflict involving politically motivated attacks on information and information systems. With cyber warfare upending conventional ideas of military conflict, it has become a crucial topic in international relations. There have been many instances of cyberattacks and intrusions resulting in major financial losses, data sieges, infrastructural damages, and other gargantuan damages to the victim nations. This article attempts to come up with a proper understanding of the issue of attributing the instances of cyber warfare, with a special focus on attacks being committed by non-state actors, as it is imperative to come up with a balanced standard of attribution, which harmonises the peculiar nature of cyberwarfare with the already existing conventional methods of attribution. The article will also attempt to determine whether an instance of cyberattack can be termed as a use of force, as enshrined in the United Nations (“UN”) Charter. By the end of this article, we will have discussed whether or not cyberattacks qualify as acts of war, with an emphasis on addressing attributional concerns. For the purpose of this article, we shall define ‘Non-State Actors’ as entities operating in cyberspace lacking a defined physical area or territorial sovereignty. It can refer to people, teams, or organisations that function both independently and cooperatively.
I. When Can a Cyberattack be termed as a Use of Force?
The UN defines the use or threat of force to undermine a state’s political independence or territorial integrity, or to act in any other way that is contrary to UN goals as ‘use of force’. It is well accepted that a State can exercise its right of self-defence if it is a victim of an act of war, as stated by the UNSC. It is important to have clarification over the question of instances when a case of cyberwarfare breaches the UN mandate over the use of force thus resulting in the rise of the right of retaliation enshrined to the UN members under its charter. It is settled that the existence of an armed attack is a condition sine qua non for the exercising of the right to self-defence, thus making it imperative to determine the scenarios when a cyberattack can be termed as ‘use of force.’
Before moving ahead, it is imperative to note that the term ‘armed attack’ is encapsulated under the term ‘use of force’. The International Court of Justice (“ICJ”) provided clarification on the meaning of the phrase “armed attack” by highlighting the necessity of distinguishing between the most serious uses of force—which constitute an armed attack—and other, less serious uses of force. The legal classification of non-destructive cyber operations remains unclear due to the lack of a clear and final criterion established by many states to evaluate them within the confines of the ban on the use of force. There have been attempts by a few states to determine which instances of cyberattacks as a case for an armed attack, still, these are very narrow in their application and have been designed to suit their national interests.
If we read together rules 11 and 12 of the Tallinn Manual, we understand that a cyber operation is illegal if it jeopardises or undermines a state’s territorial integrity, political independence, or breaches UN standards. It is considered a use of force if its scope and consequences are equivalent to those of regular military operations. Most states consider the threshold for an armed attack to be greater than that for the use of force. The problem is deciding when a cyber operation satisfies the definition of an armed attack. States differ on this and their determination can be termed as self-serving, as seen earlier. When a cyberattack reaches the point of using force, it may be considered an act of war under international law. However, in order to respond proportionally under the principles of self-defence, it is critical to precisely identify the source of the attack. The legal reaction is influenced by whether the cyber operation is carried out by a non-state actor or directly by a state, as governments can be held liable for non-state actors’ actions if there is proof of direction or control. Attribution is thus critical in identifying the right legal framework and ensuring that any actions follow international law.
II. When can a non-state actor be attributed for an Act of Cyberwarfare?
For a victim state, attribution is essential because it establishes accountability for an act before a reaction is put into action. Going by the Tallin Manual 2.0, States are liable for cyber-related activities committed by their own officials, agents, contractors, nonstate actors, and other states to the degree that they have influence over the operations. States cannot avoid legal responsibility for international wrongful acts by committing them through proxies. There has been many instances when a state has attributed a cyberattack on another state, but the issue arises when the attack is committed by a non-state actor. If we look at Article 8 of Responsibility of States for Internationally Wrongful Acts, it states that “The conduct of a person or group of persons shall be considered an act of a State under international law if the person or group of persons is in fact acting on the instructions of, or under the direction or control of, that State in carrying out the conduct.” Thus, this provision allows the victim state to take the requisite legal action against the Non-State Actors committing the Armed Attacks. It was noted in the Corfu case by the ICJ that ‘it is every State’s obligation not to allow knowingly its territory to be used for acts contrary to the rights of other States’. There are a few major issues with respect to the process of attribution in cases of cyberwarfare being committed by a Non-State Actor, the most glaring being the “boundlessness and anonymity of the cyber domain.” These technological limitations have two significant implications for attribution, both of which are essential in the context of cyber-armed strikes. The first is that the danger of misattribution increases, posing the possibility of catastrophic conflict escalation if a state mistakenly attacks an innocent third party in its self-defence reaction. The second point is that the amount of time it will take to accurately identify the culprit will very certainly make it substantially more difficult for a state to meet the elements of immediacy and necessity necessary to legitimately exercise its right to self-defence.
The ICJ tried to answer the doubts with respect to the acceptable way through which a State can be attributed with an armed attack by a Non-State Actor on another state. Two distinct situations were distinguished: one included persons who function under the supervision, financial backing, and armament of a State organ, and the other involved individuals who, although being armed and financially supported by the State, retain some degree of autonomy in their acts. In determining whether an activity was performed “under the direction or control” of a State, accountability can only be proven if the State explicitly oversaw or directed the specific operation and if it was a crucial aspect of the mission as a whole. Effective control is a sine qua non, as understood and fully supported by the ICJ. When deciding whether a state may be held liable for the deeds of a non-state actor in cyber operations, the effective control test is essential. Nonetheless, demonstrating the scope of control and the legal threshold are equally challenging. The difficulty is exacerbated by the fact that cyber activity is frequently covert, making evidence gaps more important. Attribution becomes a risky endeavour in the absence of hard evidence of a state’s direct involvement or control, underscoring the urgent need for strong evidentiary requirements to guarantee correct responsibility under international law.
III. The necessity of proper evidentiary proceedings in attribution to non-state actors for cyberwarfare
States’ investigations into cyberattacks are made more difficult by the lack of a unified set of guidelines for evidence production under international law. To establish the subjective element of cyberattacks violating international humanitarian laws, three levels of evidence are required to properly attribute a cyberattack to a State or a non-state actor, “First, the computer(s) or server(s) from which the operations originate must be located; second, the individual behind the operation needs to be identified; and third, it needs to be proved that the individual acted on behalf of a State so that his or her conduct is attributable to it.” Fulfilling these above-stated criteria is very difficult because of the issue of anonymity. The ICJ has already stated that evidence must be completely conclusive in order to support allegations of extraordinary seriousness, and this requirement extends to attribution. As stated by the UN GGE Report, Claims that States are being accused of planning and carrying out unlawful activities ought to be supported by evidence. For example, ICJ considers a variety of factors, including the evidence’s source and independence in particular; the investigation’s impartiality; whether the evidence is first-hand and contemporaneous or secondary and subsequent to the event; the soundness of the assessment methodology; and whether the evidence has been cross-examined or corroborated. These criteria are very limiting as due to inadequate evidence and ambiguous evaluation techniques, the majority of attribution reports now in use by government agencies and commercial security firms are probably going to fail requirements for independence, impartiality, and openness. Government reports frequently utilise material without citing the source or providing proof, or they make legally ambiguous references to private sector reports. Thus coming up with a proper set of rules and criteria to adjudge any piece of evidence as admissible to aid the process of attribution is the crying need of the hour.
IV. Recommendation
The above discussion leads us to understand that there are certain glaring lacunae in the standards of law that deal with the aspect of Cyberwarfare. It is noted that there is an urgent need for special international legislation governing the various aspects of cyberwarfare, that shall also possess answers to the pressing questions on which there is currently a lack of unanimity and cohesiveness, similar to the Outer Space Treaty, 1967. Certain regional legislations dealing with methods to deal with these cyberwarfare issues can be looked at and referred to in order to come up with a better understanding of them.
With respect to the determination of cyberattacks meeting the threshold of being termed as use of force violating the UN charter, it is suggested that a cyber operation should also be assessed for its ability to cause or intensify political, social, or physical events that lead to major harm or instability. Through this method, it makes it a tad bit easier to take action against the foul State or the Non-State Actor, while also maintaining the need to maintain the strict threshold for taking action, thus preventing its misuse. It is still stated that the degree of effect and other nitty-gritty of the procedure should be unanimously discussed and agreed upon by all the States, thus eradicating the issues of subjectivity and exploitation. It is also recommended that instead of the concept of effective control, which is considered more apt by the ICJ, it is better to utilise the concept of overall control, as proposed in the Tádic case, and championed by eminent scholars Lorraine Finlay and Christian Payne.
With respect to the question of the determination of evidence necessary for proper attribution, the requirement of specialised international legislation is felt that provide a proper set of guidelines that set out proper set of laws governing the admissibility of evidence, which can ease the process of attributing it to a State or a Non-State Actor. It is suggested that Internet Service Providers keep detailed metadata records following the “born-in-the-cyberspace” philosophy, from which the origins of all cyber activities can be traced back. If the walled gardens were internationalized and logged, those records could be internationally subpoenaed anytime there was a hint of cyberattack, providing a much cleaner way to possibly traceback attackers right back to their starting point on the global web.
V. Conclusion
The growing threat of cyberwarfare calls for a strong and unified international framework to tackle its legal and operational challenges. The difficulty in attributing cyberattacks, especially those carried out by non-state actors, is exacerbated by the anonymity and vastness of cyberspace, leading to risks of misattribution and potential conflict escalation. While existing international norms, such as the UN Charter and the Tallinn Manual, provide some foundational guidelines, they do not fully address the unique issues that arise from cyber operations. To fill these gaps, the international community needs to implement specialized legislation similar to the Outer Space Treaty or the Comprehensive Nuclear-Test-Ban Treaty, which would bring clarity and consistency to the handling of cyberwarfare. A proposed change from the “effective control” standard to the “overall control” standard for attribution could help alleviate evidentiary challenges, as seen in the Tádic case. Additionally, mandating Internet Service Providers to keep detailed metadata and establishing international mechanisms for evidence collection would improve transparency and accountability. A balanced and cohesive strategy is essential to align the unique aspects of cyberwarfare with established international law. This approach will not only deter malicious actors but also allow states to defend themselves in a proportional manner without violating global legal norms. The time to take action is now—if we fail to confront these challenges, we risk entering a period of unregulated and escalating cyber conflicts.
This article is a part of the DNLU-SLJ (Online) series, for submissions click here.
Student, WBNUJS, Kolkata
