Three tales of attribution in cyberspace
by Dennis Broeders, Els De Busser and Patryk Pawlak
Attribution strengthens the ability of an actor to identify those responsible for malicious activities in cyberspace and potentially hold them accountable. The capacity of a state to attribute is a key element in curtailing impunity in cyberspace and ensuring justice for the victims. But attribution is not a silver bullet and should not be an aim in itself. A decision to attribute a cyber operation to another actor should be strictly linked to a broader policy objective(s) that a state or a group of states wishes to achieve. Depending on the overall goal, the process of attribution embodies several concrete choices and dilemmas concerning the level of certainty for arriving at such decision, the quality of the evidentiary standards, or the concrete instruments available to a state in response to such malicious activities, ranging from issuing a statement to criminal prosecution or imposing restrictive measures. Looking at the issue of attribution from the perspective of criminal law, international law and international policy, this paper concludes with five dilemmas that states need to address in order to advance the discussion about accountability in cyberspace.
- The process leading to attribution is often lengthy and encompasses several stages with clearly identified thresholds: suspicion, accusation, and consequences.
- The general use of criminal law and the specifics of relying on criminal law for the purpose of attributing unlawful cyber-incidents to a malicious actor applies to acts carried out by individuals, which can be non-state, state-sponsored or even directly employed by a state. However, accusation in the context of criminal law may also lead to the “instrumentalisation” of criminal law for political purposes.
- In international law, attribution is a technical step to determine who is responsible for a violation of international law and which appropriate legal framework should be triggered. Whereas in law enforcement the focus is primarily on establishing responsibility of an individual or an entity, attribution in international law is necessary in order to establish the rights and obligations of states affected by an incident and impose consequences, if appropriate.
- Policy makers look at attribution through a different lens than legal scholars and legal professionals do. Policy makers firstly define an incident in terms of a political problem and then see what route may be helpful to deal with that problem. International law and criminal law are merely among the options. As the decision to attribute cyber-attacks to state (actors), or to not do so, is often more political than legal, there are many differences between states that determine their room and will to manoeuvre on the issue.
- The fact that states can navigate between the three different pathways of criminal law, international law and political attribution – with the possibility of creating shortcuts and connections along the way – results in a number of dilemmas and challenges.