Attribution to State of Cyber Operations Conducted by Non-State Actors

Abstract

State-sponsored cyber operations constitute a real challenge for the law of State responsibility. One of the main issues is the impossibility in most cases, at least to date, to identify clearly the perpetrators of cyber operations, either individuals or State agents, and to determine whether their conducts are attributable to States or other subjects of international law. Most cyber operations generally alleged to be state-sponsored have not been clearly attributed to a State yet. International law cannot bring a solution to the technical problem of attribution. However, attribution cannot be limited to its technical aspects. Generally, attribution of cyber conducts has three different dimensions: firstly, the attribution to the machine from which the cyber operation was launched or had transited; secondly, the attribution to the person who conducted the cyber operations; and thirdly, the attribution to an aggregate entity, notably a State. The present Chapter focuses on attribution from an international law perspective, that is to say attribution of a conduct to a State or another subject of international law. More specifically, it focuses on the specific question of attribution of cyber operations conducted by non-state actors under the instructions, direction or control of the State.