Cyber-attacks, attribution and the law
The law usually responds to new developments in society, but when these developments arise at the speed of a fibre-optic cable, lawmakers can have a hard time keeping up. While rules governing international operations already exist, many of them have not been interpreted for cyber operations yet. This is why lawyers need to run through contemporary cyber legal matters, and translate existing legal standards to the cyber domain.
Recently-released books, such as the Tallinn Manual 2.0 on the International Law Applicable to Cyber Operations, try to provide legal guidance, helping organizations interpret existing rules and legal norms in the cyber context. This guidance along with the ongoing analysis provided by lawyers during cyber operations, can ensure that a State's or an organization's (re-)actions to cyber-attacks have a legal basis. This in turn creates new customary rules based on state behavior.
It should be noted however that, even though these books provide scholarly guidance and practical tools to deal with cyberspace legal issues, many of the violations have not yet materialized. If they do, States may decide to respond very differently, and suggested legal actions or outcomes may not necessarily be followed by States.
Attribution can also be a source of difficulty during cyber operations. The victim of a cyber-attack has limited legal response options, which can be seriously hampered when the perpetrator's identity is not clear. Cyber security experts must be able to prove with reasonable certainty that a certain actor is behind malicious cyber operations for the victim State to take certain legal actions.
While the author of a conventional use of force can usually be identified with certainty very quickly, cyber-attacks usually involve techniques that will make it difficult to attribute the attack to a specific State or group. This can effectively prevent the victim State from obtaining the needed legal basis to respond under international law.Therefore, lawyers may need to look at the context of a cyber-attack to determine its nature. For example, cyber-attacks carried out during a conventional conflict will probably be associated with the adversary.
Also, as cyber-attacks are increasingly carried out by groups that only have a loose affiliation to the State where they are located, it is difficult to determine if that State is aware, involved with or even actively supporting the attacker.
If the State concerned refuses to provide assistance in stopping attacks from a group on their territory for example, then the injured party may at some point conclude that this State is either supporting the group or the attack or unable to prevent the attacks from happening. In that case, a legal advisor must determine whether the attack can still be resolved under the applicable law enforcement regime, what the options are under international law, and possibly if it may justify a military response.
Finally, the effects of a cyber-attack may be overestimated initially. What may appear as a major attack may only create minor damages in the long term. For example, a denial of service attack, like the one that occurred in Estonia in 2007, will render websites inaccessible for a certain period of time, but may not cause permanent damage or loss of data. And if the injured party were to retaliate with a military response too quickly, they would run the risk of reacting in a disproportionate, and thus unlawful, manner.
Most cyber-attacks that take place currently, however, do not reach the threshold of an armed conflict. They occur during peacetime. They include malicious activity such as breaking into military networks to steal classified information, espionage, website defacement and denial of service attacks.
Although these attacks may not be legally sufficient to trigger an armed conflict, they do not prevent the victim from taking steps to protect their network and infrastructure, for example by filtering or blocking network traffic coming from certain regions. Defensive measures can also contribute to gathering evidence against an attacker, and using it through international treaties for policing and judicial cooperation.
These examples highlight the need for legal staff to be constantly involved in cyber exercises, so as to simulate real-life decision-making processes, at all (political, operational, public relations and legal) levels. Exercises like Locked Shields help lay bare contemporary legal challenges and solutions and as such, provide deeper insight in the cyber domain.