The Law & Politics of Cyberattack Attribution

79 Pages Posted: 23 Sep 2019 Last revised: 1 Oct 2020

See all articles by Kristen Eichensehr

Kristen Eichensehr

University of Virginia School of Law

Date Written: September 15, 2019

Abstract

Attribution of cyberattacks requires identifying those responsible for bad acts, prominently
including states, and accurate attribution is a crucial predicate in contexts as diverse as criminal
indictments, insurance coverage disputes, and cyberwar. But the difficult technical side of
attribution is just the precursor to highly contested legal and policy questions about when and
how to accuse governments of responsibility for cyberattacks. Although politics may largely
determine whether attributions are made public, this Article argues that when cyberattacks
are publicly attributed to states, such attributions should be governed by legal standards.

Instead of blocking the development of evidentiary standards for attribution, as the United States,
France, the Netherlands, and the United Kingdom are currently doing, states should establish an
international law requirement that public attributions must include sufficient evidence to enable
crosschecking or corroboration of the accusations. This functionally-defined standard harnesses
both governmental and nongovernmental attribution capabilities to shed light on states’ activities
in cyberspace, and understanding state practice is a necessary precondition to establishing norms
and customary international law to govern state behavior. Moreover, setting a clear evidentiary
standard for cyberattack attribution has the potential to clarify currently unsettled general
international law rules on evidence.

This Article also engages debates about institutional design for attributing cyberattacks.
Companies and think tanks have made several recent proposals for the creation of an international
entity that would handle attribution of state-sponsored cyberattacks. Although these proposals
have much to recommend them, this Article argues that such an entity should supplement, not
replace, the current decentralized system of attribution. Having a multiplicity of attributors—both
governmental and nongovernmental—yields a greater likelihood that public attributions will serve
the goals that attributors aim to achieve, namely, strengthening defenses, deterring attacks, and
improving stability in and avoiding conflict over cyberspace.

Keywords: cybersecurity, cyber, cyberattack, cyberspace, attribution, international law, evidence, WannaCry, NotPetya, standard of proof, Tallinn Manual

Suggested Citation

Eichensehr, Kristen, The Law & Politics of Cyberattack Attribution (September 15, 2019). 67 UCLA L. Rev. 520 (2020)., UCLA School of Law, Public Law Research Paper No. 19-36, Available at SSRN: https://ssrn.com/abstract=3453804

Kristen Eichensehr (Contact Author)

University of Virginia School of Law ( email )

580 Massie Road
Charlottesville, VA 22903
United States

Do you have negative results from your research you’d like to share?

Paper statistics

Downloads
1,378
Abstract Views
6,154
Rank
26,465
PlumX Metrics