Content Assessment: Who Did It? Developing Applicable Standards of Proof for Peacetime Cyber Attribution (CCDCOE)
Information - 91%
Insight - 90%
Relevance - 89%
Objectivity - 92%
Authority - 93%
A short percentage-based assessment of the qualitative benefit of the paper by the NATO CCDCOE on the topic of cyber attribution.
Editor’s Note: From time to time, ComplexDiscovery highlights publicly available or privately purchasable announcements, content updates, and research from cyber, data, and legal discovery providers, research organizations, and ComplexDiscovery community members. While ComplexDiscovery regularly highlights this information, it does not assume any responsibility for content assertions.
To submit recommendations for consideration and inclusion in ComplexDiscovery’s cyber, data, and legal discovery-centric service, product, or research announcements, contact us today.
Background Note: Shared for the non-commercial educational benefit of cybersecurity, information governance, and eDiscovery professionals, this recently published Tallinn Paper may be useful for legal, business, and information technology professionals seeking a deeper understanding of cyber attribution. The Tallinn Papers are peer-reviewed publications of the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE). They are designed to inform strategic dialogue regarding cyber security within the Alliance and beyond. They address cyber security from a multidisciplinary perspective by examining a wide range of issues, including cyber threat assessment, domestic and international legal dilemmas, governance matters, assignment of roles and responsibilities for the cyber domain, the militarization of cyberspace and technical. Focusing on the most pressing cyber security debates, the Tallinn Papers aim to support the creation of a legal and policy architecture that is responsive to the peculiar challenges of cyberspace. With their future-looking approach, they seek to raise awareness and to provoke the critical thinking that is required for well-informed decision-making on the political and strategic levels.
Tallinn Paper from CCDCOE*
Developing Applicable Standards of Proof for Peacetime Cyber Attribution
Jeremy K. Davis
In order to take countermeasures properly under customary international law, states must attribute the triggering internationally wrongful act to the perpetrator state accurately. International law tolerates no mistake or error in such attributions, in essence holding states to a standard of proof of “beyond reasonable doubt” for a countermeasure to be lawful. However, in the potentially more consequential context of self-defense — in which, unlike with countermeasures, military force is authorized — a notably less stringent standard of “reasonableness” applies and errors in attribution are accepted. The author proposes that standards of proof applicable to peacetime cyber attribution should be more stringent as the severity of the action in response increases. According to the new Tallinn Paper, a more balanced approach would subject attribution of internationally wrongful cyber operations giving rise to countermeasures to a preponderance of the evidence standard. At the same time, any response taken by a state in self-defense should require attribution based on clear and convincing evidence before it is deemed “reasonable”.
Strained inter-state relationships and strategic competition are increasingly finding their expression in the cyberspace domain. The United States and Israel reportedly masterminded the 2009–2010 Stuxnet operation destroying centrifuges at the Natanz nuclear facility in Iran. Russia meddled in the 2016 and 2020 US presidential elections. North Korea perpetrated the 2017 WannaCry malware operation infecting hundreds of thousands of computers globally. The US, in 2019, allegedly disabled Iranian computer systems being used to plan attacks on oil tankers in the Persian Gulf. Russia conducted the 2020 SolarWinds malware operation that affected US government agencies and private sector companies.
States broadly agree that cyberspace is not a lawless void. Extant international law governs cyber activities whether one conceives of cyberspace as a warfighting domain or, more broadly, as a strategic domain. Calls to negotiate and conclude a new treaty governing cyber operations will likely be unsuccessful and, unfortunately, the two main forums aimed at achieving state consensus regarding how existing international law applies to state cyber activities – the United Nations Group of Governmental Experts (‘GGE’) and the United Nations Open-ended Working Group (‘OEWG’) – have so far yielded only tepid results. While the pursuit of broad international understanding concerning what constitutes lawful cyber activity remains ongoing, states are (or should be) examining the legal and policy parameters governing their pre-planned and anticipated responses to both lawful and unlawful hostile cyber operations.
To date, the GGE, the OEWG, and states in their official statements have focused on the conformity of state cyber operations with existing norms of international law. Primary rule questions such as when a cyber operation constitutes an armed attack and how the principle of proportionality applies to cyber operations will likely be answered either by ‘as is’ application of well-settled international law or through evolutionary changes to international law resulting from state interpretation. States have seemingly eschewed identifying the quantum of evidence necessary to validate their cyber attributions because questions of cyber attribution involve secondary rules of international law that are ‘notoriously underdeveloped even outside the cybersecurity context’.
This article adopts an international relations-based approach to standards of proof for cyber attribution, concentrating on the development of international norms of evidence applicable to state-on-state hostile cyber operations. This article will illuminate the lack of law on standards of proof for peacetime cyber attribution, discuss the complexities those missing standards introduce into the foreign relations calculus and propose discrete standards of proof that will provide a uniform frame of analysis by which to critique a victim state’s attribution and resulting response.
Jeremy K. Davis - Standards of Attribution
- [Annual Update] International Cyber Law in Practice: Interactive Toolkit
- Defining Cyber Discovery? A Definition and Framework
Have a Request?
If you have information or offering requests that you would like to ask us about, please let us know and we will make our response to you a priority.
ComplexDiscovery is an online publication that highlights cyber, data, and legal discovery insight and intelligence ranging from original research to aggregated news for use by cybersecurity, information governance, and eDiscovery professionals. The highly targeted publication seeks to increase the collective understanding of readers regarding cyber, data, and legal discovery information and issues and to provide an objective resource for considering trends, technologies, and services related to electronically stored information.
ComplexDiscovery OÜ is a technology marketing firm providing strategic planning and tactical execution expertise in support of cyber, data, and legal discovery organizations. Focused primarily on supporting the ComplexDiscovery publication, the company is registered as a private limited company in the European Union country of Estonia, one of the most digitally advanced countries in the world. The company operates virtually worldwide to deliver marketing consulting and services.