Control and Capabilities Test: Toward a New Lex Specialis Governing State Responsibility for Third Party Cyber Incidents

摘要

It is well accepted under international law that a State is generally responsible for the internationally wrongful acts of its de jure and de facto State organs. It is equally well accepted that a State is generally responsible for the internationally wrongful acts of non-State actors who are neither de jure nor de facto State organs if the State sufficiently directs and controls each element of the internationally wrongful act committed by the non-State actor. This general rule, known as the "effective control" test, is recognized as the lex generalis governing imputed State responsibility for the unlawful actions of non-State actors. As the lex generalis, this principle does not vary with the nature of the wrongful act in question unless there is a clearly expressed lex specialis. Based on a review of State practice since 2014, there is, in fact, a lex specialis forming that would allow for imputed State responsibility for the internationally wrongful cyber operations of non-State actors even in the absence of evidence demonstrating "effective control." Specifically, a review of State practice since 2014 reveals that States have attributed the unlawful cyber operations of non-State actors to States, publicly, even in the absence of evidence demonstrating clear State direction and control. States have instead applied what this paper calls the "control and capabilities" test, examining a multitude of factors to determine State responsibility, including: (1) the relationship between the non-State actor and the State, if any: (2) any apparent influence the State exercises over the non-State actor; (3) the methods used by the non-State actor; (4) the motivations of the two parties, if known; (5) whether the two parties use similar code; (6) technical capabilities; and (7) geographic location. This new attribution model, if risen to the level of customary international law as the lex specialis, would represent a dramatic shift in the law of State responsibility and would supplant the lex generalis "effective control" test in the context of imputed State responsibility for the unlawful cyber operations of non-State actors.