The attribution problem in cyber attacks

Dimitar Kostadinov
February 1, 2013 by
Dimitar Kostadinov

This article examines the problem of attribution of cyber attack from all sides. The attribution of activities carried out through the Internet is extremely difficult and, in many cases, impossible to achieve. However, the law of war requires that the initial cyber attack must be attributed before a counterattack is permitted. A key part of the use of active defense measures is the ability of one state to hold another state responsible for a cyber attack. The attribution of an attack to a state or state agents is a condicio sine qua non under international law. There are many preconditions and obscure moments that decision-makers need to consider when it comes to the question of the correct attribution of cyber attacks and the present article may shed some light on them.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Standard application of the attribution methodology: State and Non-state actors

Attributing attacks to specific perpetrators is often difficult in cyberspace, where identities can be easily disguised. Consequently, if the attacker is misidentified, there is a great risk of harming innocent individuals or targeting the wrong place, Because the counter strike may be potentially misguided towards "innocent" computer systems, especially if the original cyber attack has been routed through them (Graham, 2010). Civilians may also inadvertently launch a cyber attack. Whereas this act will most probably not be without any legal consequences for them, they shouldn't be a target of full-scale military attack. Furthermore, it is also important to determine whether the attacker is a state actor or non-state one. For the purpose of decent order, we are going to examine first the non-state actors.

Non-state actors

Non–state actors such as individuals, organized groups, and terrorist organizations need to be related to a state in order to bear a responsibility under Article 2(4) of the UN Charter, the prohibition on use of force, and the customary law. Otherwise, their actions may violate the domestic law of the country which they belong to, but not the provision in question (Schmitt, 2011).

Non-state actors have no connection to any state organization or structure. In the view of knowledgeable observers, individuals are responsible for most of the cyber attacks. A good example is the Russian hackers who allegedly attacked the Estonian government and banks' computer systems in 2007. Given the fact that anonymity comes hand to hand with the new technological capabilities, thus preventing the proper attribution of a cyber attack directly and affirmatively, many states currently prefer to respond to such attacks using only passive computer security measures, at least until there is more information available about the origin and the intent of the attack (Graham, 2010).

Counting on the passive defense mechanisms and deterrence psychology

Some of the classic defense measures against cyber attacks are anti-virus, firewalls, encryption, and automated detection. Besides the fact that these security mechanisms merely passively repel the danger, they do not collect any data that might reveal the identity of the perpetrator and the origin of the malicious act. This creates vicious circle (see the figure below) in which the anonymity impedes the attribution of a cyber attack, while the lack of attribution means that the wrongdoers most probably would evade justice. This, in turn, decreases the level of cyber deterrence. Eventually, "without the fear of being caught, convicted and punished, individuals and organizations will continue to use the Internet to conduct malicious activities." (Hunker, Hutchinson, and Margulies, 2008)

The U.S. Secretary of Defense Leon Panetta claimed that "potential aggressors should be aware that the United States has the capacity to locate and hold them accountable for actions that may try to harm America." Behind these words one may see the readiness of the U.S. government to take pre-emptive actions against imminent cyber threats. The fact that the Stuxnet virus that struck the Iranian nuclear plant was ascribed to the United States cyber task will further increase the deterrence effect of this warning (Goldsmith, 2012). However, it is unlikely to deter extremist and cyber jihadi terrorists who feel no fear of retaliation. Besides, there is this belief that a sophisticated attacker would elude any attribution technology or method, no matter how advanced it is.

Control and surveillance within the state's territory

In China, as in other countries like Egypt, Syria, and Burma, there is great governmental control, surveillance, and censorship of the Internet. Citizens who want to have Internet access in their private property must go to the local police, register by providing personal information, and acquire a license. Most of the Internet users in China gain access through the Internet cafes and these places are obliged to keep record or videotape all visitors. Chinese police store and maintain a huge database with all of the information regarding users' identifications, IP addresses, email addresses, website subscriptions, Internet service providers, etc. There have been many internet-related convictions on grounds such as subversion. As a result of all these measures, the anonymity of the Internet use does not exist in China. Internet users have the feeling that all of their online activity is being monitored. Beyond this, there is the controversial conception of self-censorship (Rotenberg, 2010).

However, this policy toward the Internet, its users, and the attribution problem is more or less inapplicable to democracies. For example, it would contravene the First Amendment of the U.S. Constitution, which gives a person the right to speak anonymously (Rotenberg, 2010). A way to overcome the problem at intrastate and individual level is the adoption of monitoring system which will provide surveillance, gathering, and in-depth analysis of all data from IT networks (Ashford, 2012).

States/ State actors

A very important issue is the attribution of the relevant actions to a state. Read textually, Article 2(4) of the U.N. Charter provides that only states can be adversaries in a situation in which force is used. State actors are also included in this category because they perform their duties on behalf of the states. State actors are the military personnel or individuals working for the government on the basis of a contract. As far as cyber warfare and security is concerned, there is an increasing need for civilian experts and often the governments hire them to assist, train, or even lead the regular soldiers. Owing to the specific logistics of the cyber attacks, the dividing line between civilians and military personnel is blurred and "many functions and services previously fulfilled by military personnel have now been outsourced to private contractors" (Brown 2006: 182). If the attacker is a state actor, then the counter measures must take into account the jus ad bellum

and jus in bello

norms the way they are codified in the U.N. Charter and customary international law.

Other forms of attribution

Imputed responsibility — Sovereignty vs. self-defense

The legal advisor to the U.S. Department of State, Harold Koh, has declared, "Whenever a State contemplates conducting activities in cyberspace, the sovereignty of other States needs to be considered." This is so, he said, "because of the interconnected, interoperable nature of cyberspace, operations targeting networked information infrastructures in one country may create effects in another country" (Koh, 2012, p. 14).

Under the principle of sovereignty and the doctrine of territorial integrity, states can exercise full control over their territory. The U/N. General Assembly underscored this right and qualified the use of force by a state on the territory of another state, without the formal and explicit consent of the latter, for an act of aggression. Nevertheless, the right of self-defense is equally essential.

There is an increasing tendency for states to seek other methods of attribution. The main alternative is the "imputed responsibility" concept. Under this theoretical approach, a state is responsible for any cyber attacks originated from within its territory, even if they are conducted by non-state actors such as terrorist organizations (Graham, 2010). According to the view of the international community, a state does not fulfill this obligation when its legislative and procedural mechanisms, for one reason or another, do not bring the perpetrators to trial and verdict.

A state that is victim to a cyber attack has the right to demand the territorial state to abide by its duty and to ensure that the non-state actors responsible will not remain unpunished. If the territorial state willingly undertakes the necessary measures and precautions to eradicate the groups and organizations responsible, then the victim state cannot respond by kinetic or technologic means and invade the territorial state. On the contrary, if the territorial state does not take decisive actions to solve the problem with these non-state groups, either because it is unwilling to do so or because it is simply unable to stop them, then the victim state can legally act in self-defense and use a kinetic or computer force, pursuant to the international principles of conduct of hostilities, to prevent the non-state actors from performing cyber attacks (Schmitt, 2011).

In addition, the victim state may want to initiate its own investigation and if the allegedly wrong state refuses to cooperate, it receives the status of a sanctuary state and consequently becomes a potential target for a legitimate use of force by the victim state (Graham, 2010).

Sanctuary state

The United States Code Law Ch.38, Para. 2656f (d), sets out the following definitions:

"(5) the terms "terrorist sanctuary" and "sanctuary" mean an area in the territory of the country

(A) that is used by a terrorist or terrorist organization

(i) to carry out terrorist activities, including training, fundraising, financing, and recruitment; or

(ii) as a transit point; and

(B) the government of which expressly consents to, or with knowledge, allows, tolerates, or disregards such use of its territory and is not subject to a determination..."

The rules regulating the state responsibility are codified into the Draft Articles of State's Responsibility for Internationally Wrongful Acts from 2001, which is binding for all states because it constitutes a customary international law. These rules are based on the concept of agencies: states are represented by state institutions or officials who perform their duties on behalf of these institutions. State cannot be held responsible for illegal acts committed by individuals unless is proved that these individuals exercise public functions that are connected to some activity which is state-related. However, the rules that entail state responsibility have gradually changed, especially after the 9/11 terrorist attack, and now the state is somewhat responsible for acts of private actors if it is due to overt or covert support, negligence, or inadequate laws, etc. (Värk, 2006).

"Effective control" is a standard for state involvement in regard to non-state actors laid down in the Nicaragua case (1985) by the International Court of Justice. Moreover, it sets out the rule that military operations conducted by non-state actors should be of a certain "scale and effects" to be regarded as an armed attack. Thus, an act by a non-state actor in order to be attributed to a state should conform to the following criteria:

a) The act is categorized as an armed attack;

b) The state is, directly or indirectly, substantially involved in the operations conducted by the non-state actors (Schmitt, 2011).

When a state or state agent bears the responsibility for a cyber attack that inflicts some harm in the domain of another state, then the victim state's counter measures are regulated by the international law of warfare and international humanitarian law. Additionally, if the damage to the computer systems is likely to result in death or injury to people or destruction or damage to tangible objects, then the victim state has the rightful opportunity to defend itself in accordance with Article 51 of the U.N. Charter (Creekman, 2002). Nevertheless, the defense/counterattack procedure against a cyber attack deriving from a sanctuary state is obscure, but many scholars advocate a more decisive approach, especially when it comes to protecting critical national infrastructure.


The attribution of cyber attacks clearly poses a great problem for decision makers. Nowadays, the Internet ensures that the anonymity of its users is kept intact. While this may seem reasonable and in concordance with the democratic virtues and laws, it also presents us with the question: "Are we going to pay soon or later for giving potential cyber terrorists and criminals the comfort shelter called anonymity?"

The common tactic of advanced hackers is that they route the cyber attack through many different countries. Under these circumstances, a global policy on cyber attacks is need that will track down accurately the origin and perpetrator to be tracked down accurately. However, such a global policy is highly unlikely because of the differences among the great cyber powers. Even though the future of attributing cyber acts appears uncertain, there is hope that someday, somehow the real identity of the online villains will be uncovered and they will be brought to justice.

Become a Certified Ethical Hacker, guaranteed!

Become a Certified Ethical Hacker, guaranteed!

Get training from anywhere to earn your Certified Ethical Hacker (CEH) Certification — backed with an Exam Pass Guarantee.


Dimitar Kostadinov
Dimitar Kostadinov

Dimitar Kostadinov applied for a 6-year Master’s program in Bulgarian and European Law at the University of Ruse, and was enrolled in 2002 following high school. He obtained a Master degree in 2009. From 2008-2012, Dimitar held a job as data entry & research for the American company Law Seminars International and its Bulgarian-Slovenian business partner DATA LAB. In 2011, he was admitted Law and Politics of International Security to Vrije Universiteit Amsterdam, the Netherlands, graduating in August of 2012. Dimitar also holds an LL.M. diploma in Intellectual Property Rights & ICT Law from KU Leuven (Brussels, Belgium). Besides legal studies, he is particularly interested in Internet of Things, Big Data, privacy & data protection, electronic contracts, electronic business, electronic media, telecoms, and cybercrime. Dimitar attended the 6th Annual Internet of Things European summit organized by Forum Europe in Brussels.