Position Statement: An International Attribution Mechanism for Hostile Cyber Operations

Updated: 5 days ago

Authored By:

Aishwarya Shakti (Research Intern)


1) Introduction

2) Fact-finding mechanisms

3) The existing state of cyber attribution

4) International attribution mechanisms

5) Advancement

6) Conclusion

1) Introduction:

Cyberspace has been characterized as revolutionary, an area devoid of normative constraint. Intellectuals and experts have been striving to address the uncertainty. And the States have just begun to set forth their views on how international law governs cyberspace.

Many states are reluctant to invoke international law relating to hostile cyber operations, as their political or operational interests which makes themselves operate on the virtual frontline, either facing or launching hostile operations and also because doing so could reveal their technical cybersecurity capabilities and vulnerabilities. Yet, no concrete efforts have been taken to establish a complete international mechanism on technical attribution of hostile cyber operations.

The researchers organized an international research project to consider the practicality of establishing an international attribution mechanism, along with its usefulness. Workshops organized by the project brought together academicians and policymakers, to discuss papers prepared by the project's researchers as standards of proof for attributing cyber operations under the law of State responsibility, the use of private cybersecurity companies to investigate cyber incidents, investigative models drawn from other technology-intensive fields like weapons control regimes, and the collective attribution practices of the European Union (EU) and North Atlantic Treaty Organization (NATO). This process enabled the identification of certain contexts in which an international attribution mechanism could prove useful and several constituencies that might be interested in turning to it in appropriate cases.

The discussions, which were subject to the Chatham House Rule, have led the researchers to conclude that, States having significant cyber capability have a slight interest in creating an international attribution mechanism for cyber incidents. Such states are of the view that they can generate sufficient accountability and deterrence with their independent technological capacity. The discussions also suggested that countries with limited technological capacity and less ability to mobilize international support for collective attribution are more open to the prospect, especially as a tool for "naming and shaming" states conducting unlawful cyber operations against private and public infrastructure in their territory.

Through the article, the researcher examined several possible validations for establishing an international attribution mechanism and its principal constituencies. Part 2 analyses the international fact-finding mechanisms. Part 3 details the limitations of the existing practices for attributing responsibility for hostile cyber operations. Part 4 reviews proposals to establish an international attribution mechanism, whereas part 5 examines the constituency for a new mechanism and part 6 sets forth the conclusion.1

2) Fact-finding mechanism:

Fact-finding and inquiry mechanisms often have been employed in the field of international human rights law to establish accountability for violations and to facilitate subsequent action by political bodies entrusted with promoting respect for human rights. Fact-finding mechanisms have also been used to support action by political bodies in other fields of international law, such as international civil aviation law and international labour law.

Fact-finding fosters accountability by exposing facts and facilitating accountability-generating processes, thereby also enhancing deterrence. In doing so, fact-finding mechanisms contribute to the rule of law in international relations. A specific area of international relations in which fact-finding mechanisms have proven effective is arms control. Fact-finding in this field, especially concerning the developmental use and proliferation of unconventional weapons, is especially relevant to cyber activity because states tend to operate behind a shroud of national security secrecy and investigations require sophisticated scientific expertise to collect and analyze data. Information is collected and analyzed by verification mechanisms typically have ongoing monitoring responsibilities, such as routine inspections, and the collection of data from monitoring stations and on-site instruments. Verification mechanisms can include, documents, technical data, samples, and interviews and it has the potential to embarrass violators and set international legal and political processes of condemnation and sanction in motion, they are integral to the stability of arms control regimes. The recent report by the United Kingdom to the OPCW inspection machinery in connection with the Salisbury incident illustrates how a technical fact-finding apparatus can be used to shame a violating State and support accountability. It also casts new light on some of the principled arguments discussed below, which question the necessity of developing an international accountability mechanism in the field of cybersecurity.

Flagrant violations of international law norms prohibiting the employment of chemical weapons initiated an effort to impose accountability through the use of an international fact-finding mechanism and by authorizing it to attribute legal responsibility. These moves were accompanied by ad hoc sanctions against suspected perpetrators and the development of a standing sanctions mechanism. The question is whether a similar dynamic involving international fact-finding, attribution of international responsibility, and the imposition of collective sanctions would be viable in other fields of activity involving national security that pose technical attribution challenges and face denials by responsible States, specifically cyber operations.

3) The existing state of cyber attribution:

States that have fallen victim to hostile cyber operations are increasingly willing to attribute them to other States. Moreover, attribution is often collected in the sense that it involves the issuance of a common statement or endorsement of another State's assertion of responsibility. The collective attributions of the Wannacry and Notpetya cyber operations, as well as hostile cyber operations targeting the OPCW and Georgia, are illustrative of this developing practice. There has also been some progress in developing a structure for collective attribution.

The EU Cyber Diplomacy Toolbox, adopted in 2017, provides a joint EU diplomatic response to hostile cyber operations and as a part of this, the EU established a cyber-related sanctions regime in 2019 that provides the imposition of "targeted restrictive measures" on natural and legal persons. Both the toolbox and the sanctions regime clarify, that a joint diplomatic response or the imposition of sanctions should be distinguished from a decision to attribute responsibility to a foreign State.

Other States, international and regional organizations are also crafting collective responses to hostile cyber operations. The 2018 U.S. National Cyber Strategy aimed at building a coalition of like-minded states that can act "in concert" to impose "consequences" on adversaries, to ensure that they "understand the consequences of their malicious cyber behaviour."2 and also envisions intelligence sharing with key partners to identify hostile State and non-State cyber activities. The same year, NATO leaders adopted the Brussels Summit Declaration, which confirmed that NATO's collective defence policies applied to cyberspace and called on its members to consider responding to malicious cyber activity in a coordinated manner.3

U.S. and U.K., have taken the position that there is no legal duty to accompany public acts of attribution with disclosure of any underlying evidence. Although there are various reasons for the reluctance to commit to releasing evidence, the most commonly cited is that such a practice can risk revealing intelligence sources and methods and cyber capabilities. Yet, absent supporting evidence, the credibility of public attribution is open to challenge. Likewise, collective attribution is less likely when intelligence on an incident is not shared. Evidentiary issues might also hamper regional mechanisms for cyber-related sanctions.

It is worth noting that some commentators have expressed doubt as to the effectiveness of recent collective attribution statements, noting the limited number of States involved, a frequent lack of transparency surrounding the process of attribution, the failure to identify specific international law obligations that the operations breached, and the lack of political will in following up with the imposition of sanctions and other responses against the responsible State. Arguably, these shortcomings hinder the development of substantive law in the field of cybersecurity, since they provide few indications of those cyber operations that States consider unlawful information that is essential in both the interpretation of existing legal rules in the cyber context and the crystallization of new rules of customary international law.

4) International attribution mechanisms:

There have been numerous calls for the establishment of an international attribution mechanism that would foster public confidence in the attribution claims of national security agencies and private cybersecurity companies. Although such public and private bodies have the considerable professional expertise, their work tends to lack transparency, and their governmental affiliation or commercial interests sometimes render their claims suspect.

An independent international mechanism could lend credibility to attribution in the cyber realm, thereby limiting the ability of responsible States to deny involvement and facilitating collective attribution and response. Like the OPCW Technical Secretariat, such a mechanism could prove useful for State and non-State actors in certain situations. To be sure, such a mechanism should complement, not replace, existing attribution mechanisms and practices. Optimally, it should find ways to harness the evidence gathering and analytical wherewithal of State agencies, and the technical expertise resident in the public and private cybersecurity sectors.

Several initiatives aimed at promoting an international attribution mechanism have been launched in recent years:

In 2014, the Atlantic Council, a Washington, D.C.-based think tank, proposed the establishment of a Multilateral Cyber Adjudication and Attribution Council (MCAAC).

In 2016, Microsoft published a proposal for an attribution premised on the investigation of incidents by international experts comprising a public-private organization.

In 2017, the RAND Corporation proposed a Stateless attribution mechanism consisting of a consortium of private experts specializing in cyber technology and policy that would, on a discretionary basis, investigate and attribute incidents, as well as provide analysis concerning the severity of the incident and the sophistication of the operation.

In 2019, Microsoft joined forces with MasterCard and the Hewlett Foundation to establish the Cyber Peace Institute.

Except for the Cyber Peace Institute, which has been established, neither these nor other initiatives have gained much momentum. Research Center’s workshops with legal, policy, and technical experts, diplomats and other State officials, academics, and industry executives, several tentative reasons for this lack of progress can be identified.

Most significantly, some major State actors in the field of cybersecurity appear uninterested in developing an international attribution mechanism, largely out of a sense that the mechanism would be redundant. After all, powerful and technologically savvy States have developed processes for technical attribution that rely upon their technical forensic capacity, as well as their intelligence assets, especially signals intelligence and human intelligence hence, they collaborate with their partners, occasionally, they even turn to private cybersecurity companies to provide specialized expertise. Once such States can attribute, they have the offensive tools and the political and economic clout to respond meaningfully to hostile cyber operations, either alone or in collaboration with other States.

Moreover, some States appear sceptical about the very push for legal accountability. Arguably, the proposed mechanism would help to clarify the law applicable to cyber operations, thereby limiting the operational flexibility that results from legal ambiguity. Viewing international law as asymmetrically disadvantageous, these States would prefer to rely on self-help as they fear that referral of incidents to an international attribution mechanism might over time deprive them of the discretion ambiguity offers in terms of attribution and response options.

Some workshop participants also suggested the initiatives have several shortcomings that have impeded acceptance. For instance, they opined that the RAND proposal is more detailed but envisages a Stateless mechanism over whose configuration, mandate, and modus operandi States would have limited influence. This arrangement is unlikely to appeal to States, especially when comparable investigative services are available from private companies.

Numerous participants were of the view that the proposals could be characterized as overbroad in the sense that they called for a major restructuring of cyber attribution and the underlying concept of accountability. Thus, some participants argued that a more sophisticated approach would have been to associate the proposed mechanism with specific wants is required to increase global capacity to make credible attribution claims, a need to encourage collective attributions, and a need to support multilateral follow-up efforts.

5) Advancement:

Effective application of international law to any domain of international relations hinges on the interaction between legal norms, fact-finding processes that identify violations and attribute responsibility to a State or non-State actor, and follow-up measures, which can include shaming, making claims in the diplomatic or adjudicative forum and imposing sanctions, including countermeasures. The legitimacy of each link in the chain is premised on the legitimacy of the preceding links; thus, the legitimacy of accusations and responses depends on the legitimacy of the underlying legal rules and attribution process. Specifically, the legitimacy of the attribution process undergirds the ability of an accuser to convince relevant target audiences, including third States that might join collective attribution statements or support multilateral sanctions.

The goal of creating an international attribution mechanism remains viable and that such an entity would prove valuable, albeit primarily in three contexts:

First, an international attribution mechanism could prove useful for States with a limited independent capacity to effectively generate accountability. An international attribution mechanism could prove especially useful in this regard. A properly crafted mechanism would be more likely to be perceived as independent, impartial, and professionally reliable. Its factual conclusions would presumably enjoy significant traction, which would enhance the Victim State’s ability to generate assistance in imposing accountability.

Second, the creation of an international attribution mechanism would signal the growing interest of States in collective attribution, as broad condemnation and multilateral responses are more likely to promote accountability than the reactions of a single State. Collective attribution is most effective when there is a high level of confidence in the initial attribution determination.

Third, an international attribution mechanism could play an important role in connection with the operation of cyber-related sanction regimes, such as that of the EU. Such regimes rely upon trust in individual attribution determinations by member States. However, since they involve sanctions on natural or legal actors that may be associated with foreign States. The smooth operation of the regime generally requires a higher level of confidence than might otherwise be the case with collective attribution.

An independent professional mechanism could offer verification of individual attribution claims, assuaging the concerns of States about the reliability of the attribution determinations upon which they are being asked to take action.

The key institutional design should look:

a) Whether the optimal composition is public, private, or hybrid;

b) The triggers to initiation of the mechanism’s investigation;

c) The extent to which a mechanism should be tasked with responsibility beyond technical attribution;

d) The necessary arrangements for access to forensic evidence and intelligence materials;

e) The opportunity of entities to whom attribution is made to contest evidence collected against them;

f) When and whether attribution decisions and supporting evidence should be made public.

6) Conclusion:

International fact-finding offers a credible process for ascertaining facts underlying international incidents, and, sometimes, the attribution of legal responsibility for violation of international law norms. Fact-finding mechanisms have been utilized extensively in certain fields of international law, like human rights and weapons control, to generate accountability and deterrence. In such fields, it can play an integral role in implementing the rule of law and developing and interpreting relevant international law norms.

Researchers believe that there is merit in the prospect of an independent international attribution mechanism for cyber operations, one along the lines of, but not necessarily identical to, the OPCW's Technical Secretariat. Cyber operations represent a field of activity plagued by normative ambiguity and limited accountability, where reliance on the victim State's attribution capacities, or those of other States or private cybersecurity companies, may not measure up to the challenges. An independent attribution mechanism could lead to attribution determinations enjoying a higher degree of legitimacy, thereby serving as a stabilizing force in international relations.

By focusing on the three logical constituencies for such a body:

· States with limited technological, intelligence, and diplomatic capacity;

· States interested in generating broad collective attribution of attacks perpetrated against them;

· International and regional organizations operating a cyber-related sanctions regime.

Such a focus would significantly improve the prospects for the establishment of an international attribution mechanism.


1) Yuval Shany, & Michael N. Schmitt. (1895). An International Attribution Mechanism For Hostile Cyber Operations. International Law Studies.

2)The white house, National Cyber strategy of the United States of America 21 (2018)

3)Press Release, NATO, Brussels Summit Declaration, Issued by the Heads of State and Government Participating in the Meeting of the North Atlantic Council in Brussels 11–12 July 2018, Press Release (2018) 074 (July 11, 2018) (last updated Aug. 30, 2018), https://www.nato.int/cps/en/natohq/official_texts_156624.htm

Support us

In order to keep our content open accessed and free, we need your support. Please donate any amount up to 500 INR if possible.

© Internationalism™ - AbhiGlobal Legal Research & Media LLP, 2020.


[Registered under the Limited Liability Partnership Act, 2008 | LLP Identification No. AAQ-1629. Please refer to mca.gov.in for more details.]