The control capabilities test: How a new legal regime is shaping attribution in cyberspace

摘要

Attribution in cyberspace is one of the most difficult questions facing policy makers, lawyers, and jurists. Indeed, the first question often asked in the wake of a cyber incident is “who did it?” The answer to this question is often critical when dealing with the application of international law because it will dictate the rights and responsibilities of States both from an offensive and defensive perspective. Without proper attribution, for example, a State's responsive capabilities are limited. Making matters worse, attribution is difficult to establish factually. Non-State actors often mask their identity, and State actors often hide their true intentions. The degree to which the international rules governing State attribution apply in cyberspace is therefore a matter of great public importance. This paper posits that a new lex specialis is, in fact, forming that, if risen to the level of customary international law, would supplant the lex generalis “effective control” test and allow for imputed State responsibility for the internationally wrongful cyber operations of non-State actors even in the absence of express direction or control. This new test, which this paper calls the “control and capabilities” test, would allow for the attribution of non-State actor cyber activity based on a multifactored test, examining: (1) the relationship between the nonState actor and the State, if any; (2) the cyber methods used by the non-State actor and whether those methods are similar to the State; (3) the motivations of the two parties, if known; (4) the similarity in technology and/or code used by the two parties; (5) the technical capabilities of the two parties; and (6) geographic location. Below is a summary of this developing test, and thoughts on how it may impact the overall corpus of international law in cyberspace.