Attribution, state responsibility, and the duty to prevent malicious cyber-attacks in international law

摘要

Malicious cyber-attacks, those cyber-attacks which do not rise to the level of force in international law, pose a significant problem to the international community. Attributing responsibility for malicious cyber-attacks is imperative if states are to respond and prevent the attacks from continuing. Unfortunately, due to both technical and legal issues attributing malicious cyber-attacks to the responsible state or non-state actor is difficult if not impossible in the vast majority of attacks. Even if an injured state may recursively trace the malicious cyber-attack to the responsible IP address, this is not enough under the current international customary law to hold a state or non-state actor responsible for the cyber-attack as it is virtually impossible to bridge the air gap between the computer system and end user to demonstrate affirmatively who initiated the attack. Even if a state could demonstrate the identity of the end user that initiated the attack, this is not enough to link the end user to the state for responsibility to lie under existing customary international law. As such this study was conducted to analyze the issue of malicious cyber-attacks as a matter of customary international law to ascertain mechanism to hold states responsible for malicious cyber-attacks which originate from a state’s sovereign territory. Specifically, this study addresses the issue of legal and technical attribution of malicious cyber-attacks for the purposes of holding states responsible for those attacks.udThis study argues that under existing customary international law attributing malicious cyber-attacks for the purpose of ascertaining state responsibility is difficult if not impossible. As such, this study proposes alternative theories, which already exist within customary international law, for holding states responsible for malicious cyber-attacks which originate from their sovereign territory. This study addresses alternative theories of state responsibility existing in customary international law such as those put forth in Trail Smelter and Corfu Channel and the theory of strict liability for ultra-hazardous activities. In addition, this study addresses the theory of indirect responsibility, the duty to prevent harm, and due diligence in cyber-space. Lastly this study analysis the impact of the post-9/11 invasion of Afghanistan by the United States and NATO forces and determines that a burgeoning rule of attribution may be present which would impact the attribution of malicious cyber-attacks to states.udThis study makes an original and important addition to the corpus of international law by addressing the issues of technical and legal attribution, state responsibility, and the duty to prevent malicious cyber-attacks as a matter of customary international law. This study is needed; malicious cyber-attacks implicate international law, as the majority are interstate in nature. However, international law currently has no paradigm, per se, in place to effectively deal with the issue of malicious cyber-attacks.