The Law & Politics of Cyberattack Attribution


Attribution of cyberattacks requires identifying those responsible for bad acts, prominently including states. To guard against baseless or false attributions, this Article argues that states should establish an international law requirement that public attributions of state-sponsored cyberattacks must include sufficient evidence to enable cross-checking or corroboration of the accusations. This functionally defined standard harnesses both governmental and non-governmental attribution capabilities to shed light on states’ actions in cyberspace, and understanding state practice can help to foster the development of norms and customary international law to govern state behavior. Moreover, setting a clear evidentiary standard for attribution in the cybersecurity context has the potential to clarify currently unsettled general international law on evidentiary rules. The Article also engages debates about institutional design for cyberattack attribution and argues that if recent proposals for an international attribution entity come to fruition, such an entity should supplement, not replace, the current decentralized system of attribution.