State responsibility for cyber attacks: competing standards for a growing problem.

Author:Shackelford, Scott J.

TABLE OF CONTENTS I. INTRODUCTION II. THE NEW CYBERWARFARE: DEFINITIONS & LITERATURE REVIEW III. THE SCIENCE OF TRACING CYBER ATTACKS IV. THE FUNDAMENTAL ISSUE OF ATTRIBUTION AND THE CASE FOR THE OVERALL CONTROL STANDARD A. The Drawbacks of the Effective Control Standard B. Evaluating the Overall Control Standard C. The 'Government Awareness' Approach D. Supplementing State Responsibility with the 'Sliding Scale' Approach E. Analyzing Recent Cyber Attacks Under the Competing State Responsibility Standards F. State Responsibility Summary V. APPLYING THE LAW OF ARMED CONFLICT TO CYBERSPACE A. Neutrality, Distinction, and State Responsibility in Cyber Operations B. Neutrality and Distinction in Cyberspace C. Solutions D. Checking Cyber Militias and the Growth of Cybercrime E. Cyber Conflicts and NA TO VI. CONCLUSION I. INTRODUCTION

At the height of the Cold War in June 1982, an American early-warning satellite detected a large blast in Siberia. A Soviet gas pipeline had exploded. The explosion was the result of a CIA-sponsored logic bomb planted in software that Soviet spies had stolen from a Canadian software company. The result was "the most monumental non-nuclear explosion and fire ever seen from space." (1) And that was almost thirty years ago.

Flash forward to September 2010 and the discovery of the Stuxnet worm--a sophisticated "cyber weapon" reportedly designed to target Iran nuclear facilities, specifically the centrifuges at its nuclear refinery at Natanz. The worm exploited flaws in Microsoft Windows to disrupt the operation of specific plant processes that were controlled by Siemens-manufactured industrial control systems. However, an estimated 44,000 other computers around the world were also affected and critical infrastructure in systems as far away as Germany and the United States sustained damage. (2) The worm's unusual complexity led some to conclude that the attackers had the backing of one or more national governments, rather than being the work of cyber criminals or terrorists. For example, this cyber shot heard round the world utilized stolen digital certificates to mask its malicious code, modified software to cause the Iranian centrifuges to spin at speeds that reportedly damaged 1,000 of them, and incorporated features to terminate the worm's activities on a set date. (3) Many analysts attributed the attack to Israel or the United States. (4) Stuxnet may be viewed as the first salvo in a new era of cyberwar, which is why James Lewis of the Center for Strategic and International Studies (CSIS) a think-tank in Washington, D.C., labeled this event as potentially "the first act of cyberwarfare." (5) Since the threshold defining armed attacks in cyberspace remain controversial, this statement remains contentious. Others for example maintain that the attack was at most a covert action, as is discussed below.

While there is a good deal of agreement on the likely identity of the Stuxnet attackers, that is not the case in the vast majority of cyber attacks. (6) The "Conficker" worm, for instance, was a global malware program starting in late 2008 that infected millions of computers including systems in the French Navy, the Bundeswehr (German Federal Defense Force), and the U.K. Ministry of Defense, but it is still not known publically who launched the attacks, why, and whether the malware has even been fully removed. (7) (If governments know who released the worm they are not talking.) Situations such as this highlight the fundamental problem of attribution in cyberspace.

Stuxnet lays bare the open question of what the true potential of a logic bomb or other cyber attacks is today now that everything from stock exchanges to national power grids are connected to a ubiquitous Internet. And it is not just cyberwarfare that is a growing problem: cyber espionage, terrorism, and cybercrime are also on the rise. President Obama has stated that $1 trillion was lost to cybercrime in 2009, a figure greater than the global market in illegal drugs. (8) This revelation prompted Rhode Island Democrat Sheldon Whitehouse to argue, "I believe we are suffering what is probably the biggest transfer of wealth through theft and piracy in the history of mankind." (9) The array of threats facing cyberspace has caused it to become the fifth domain of combat, after land, sea, air, and space. (10) But determining an appropriate legal regime to regulate this new domain incorporating jus ad bellum (the right to wage war) and jus in bello (justice in war) elements has proven to be elusive, particularly with regards to the central problem of proving attribution and State responsibility.

At a time in which the unchecked sovereign authority of States is being challenged across many arenas, State responsibility remains a key bulwark of international security. (11) But the speed and anonymity of cyber attacks makes proving State responsibility and "distinguishing among the actions of terrorists, criminals, and nation states difficult." (12) As the 2007 cyber attacks on Estonia demonstrated, a State hosting groups that make attacks for reasons that benefit the State rarely cooperates in the investigation, apprehension, and extradition of those who committed that attack. (13) Moreover, there is an open question as to whether these attacks should be characterized as: cybercrimes, with Russian Nashi hackers orchestrating a coup; cyber terrorism by a group pursuing idiosyncratic ideological goals; cyberwarfare, a virtual sortie by Russian intelligence operatives; or merely a cyber riot? Determining these classifications and the distinctions between them shapes responses and retaliation, including the proper involvement of civilian law enforcement or the military if necessary.

Given the secretive nature of cyber conflict, States may incite civilian groups within their own borders to commit cyber attacks and then hide behind a (however sheer) veil of plausible deniability, thus escaping accountability. The well-documented use of patriotic hackers by several governments, including China and Russia, as well as the rise of cyber militias in countries such as Estonia speaks to the urgent necessity of resolving the critical question of State responsibility. This Article analyzes potential legal regimes of State responsibility for cyber attacks, including the effective and overall control standards. In brief, the effective control doctrine, originating in the International Court of Justice (ICJ) Nicaragua case, recognizes a country's control over paramilitaries or other non-State actors only if the actors in question act in "complete dependence" on the State. (14) In contrast, the overall control doctrine, illustrated in the International Criminal Tribunal for the Former Yugoslavia Tadic case, held that where a State has a role in organizing and coordinating, in addition to providing support for a group, it has sufficient overall control so that the group's acts are attributable to the State. (15) Other lesser known standards will also be reviewed, including the governmental awareness and the sliding scale approaches. (16) These regimes will then be applied to real examples of State-sponsored cyber attacks, including Russia's alleged attacks on Estonia. The applications focus on instances of neutral States that allow their networks to be used as launching points for cyber attacks, thus giving rise to the problems of neutrality and distinction that will be analyzed under the Laws of Armed Conflict.

The Article is structured as follows. In section II, we construct a brief literature review on the question of appropriate standards governing State responsibility for cyber attacks before summarizing some of the myriad technical challenges raised by tracing cyber attacks in section III. Section IV discusses the fundamental problem of attribution in cyberspace as well as the cases for and against various legal regimes of State responsibility as applied to cyber attacks, including the effective and overall control standards. Finally, section V analyzes the debate on the applicability of the Law of Armed Conflict to cyberspace, particularly efforts aimed at defining the armed attack threshold. This is used as a jumping off point for a discussion on the importance of State responsibility within the context of neutrality and distinction in cyber operations. These findings are then applied to several cyber operations including the Estonian Cyber Defence League and more recent attacks emanating from unsecured African networks. On account of the extreme difficulties involved in tracing cyber attacks and proving attackers' identity and intent, we conclude by arguing for the adoption of flexible standards of State responsibility for cyber attacks, but offer the cautionary note that this may enforce the prevailing status quo strategic ambiguity.


    On January 12, 2010, corporate America was compromised again as cyber attacks being reportedly directed by the Chinese Politburo stole intellectual property from Google along with that of 40 other corporations, (17) mostly located within the United States. (18) In this case, the attackers employed a tactic known as "phishing," in which e-mail is sent from someone the user supposedly knows and trusts. (19) Once opened, infected attachments download "malware" onto the host's computer, allowing the hackers access to confidential information stored within the user's network. Although Google has stated that little if any of its property was lost, similar cyber attacks have led to the theft of gigabytes of sensitive information in recent years. (20)

    Many cybersecurity experts have called the attack on Google routine. Indeed it was. Nearly half of more than 22 million computers scanned for malware as part of a recent survey were found to be infected. (21) Some sources estimate that between one-quarter and one-third of all home computers worldwide are...

To continue reading