Cybersecurity

International law cannot keep up with cyber-criminals

Man poses in front of on a display showing the word 'cyber' in binary code, in this picture illustration taken in Zenica December 27, 2014. A previously undisclosed hacking campaign against military targets in Israel and Europe is probably backed by a country that misused security-testing software to cover its tracks and enhance its capability, researchers said. Picture taken December 27, 2014. REUTERS/Dado Ruvic (BOSNIA AND HERZEGOVINA - Tags: SCIENCE TECHNOLOGY CRIME LAW TPX IMAGES OF THE DAY) - GM1EACS1HDA01

As technology advances, so do the criminals. Image: REUTERS/Dado Ruvic

Christian Payne
Adjunct lecturer, , Murdoch University
Lorraine Finlay
Lecturer in Law, , Murdoch University

The Australian prime minister’s recent announcement that a “sophisticated state actor” had hacked the computer networks of the country's major political parties again highlights the serious threat posed by cyber attacks.

This follows a breach of the Parliament House network earlier this year. Previous examples in Australia include the 2015 malware attack on the Bureau of Meteorology and breaches of the computer systems at the Australian National University in 2018.

Indeed, cyber measures targeting Australian government infrastructure have been described as the “new normal”.

Australia is not alone in facing this threat, and it is a significant one. The US Secretary of Homeland Security highlighted the seriousness of this challenge when she recently suggested that:

… cyber-attacks in terms of their breadth and scope of possible consequences now exceed the risk of physical attacks.

Technological advances continue to outpace legal developments. While intelligence officials have suggested the most recent attack came from a “nation state”, the reality is that the existing international law framework fails to provide timely or effective legal remedies.

The problem of attribution

One of the most significant hurdles is the problem of attribution. For a nation state to be held responsible under international law for a particular act, that act must be attributable to that state. There are a variety of ways this can occur. For example, the conduct of state organs (such as government departments and officials) will usually be attributable to the state.

Image: Global Risks Report 2019

But here’s a key problem: in the case of cyber attacks, states don’t generally operate through formal state bodies. Instead, they tend to use non-state actors who are less visible, more removed and offer plausible deniability. This creates problems of both factual and legal attribution.

The factual problem is that it is often extremely difficult to accurately identify the origin of a cyber attack. The lack of boundaries and anonymity that are characteristic of cyberspace make it hard for states to identify exactly who is responsible for a specific cyber attack.

Perpetrators are becoming increasingly effective at masking their true identities and locations. They may even deliberately make it look as though innocent third parties are responsible for an attack.

The legal problem of attribution arises from the fact that international law does not generally hold states responsible for the actions of non-state actors.

Responsibility will only be attributed if the state either acknowledges and adopts the conduct of the non-state actor as its own, or the state directs or controls the non-state actor.

The former is unlikely given the lengths that states go to mask their involvement in cyber attacks in the first place. The latter is also unlikely, given the high threshold set by international law to establish the required direction or control.

The International Court of Justice has held that a state must be shown to have had “effective control” over each specific act for which attribution is sought. Simply providing financial aid or equipment to support a cyber attack, or even providing a safe haven base for individual hackers, would likely not be enough to meet the “effective control” test.

Given these problems, it is highly unlikely that a state will ever be held publicly accountable under the existing legal framework.

It is one thing for intelligence officials to privately suggest China may be to blame for the most recent breach. But that is a long way from meeting the high threshold required to establish state responsibility under international law.

Have you read?

How can a state respond to a cyber attack?

Even if legal attribution could be established, that does not entirely resolve the legal complexities. International law has few mechanisms that allow a state to respond effectively to a cyber attack once it has occurred.

A state is allowed to use force in self-defence – but only in response to an armed attack. An armed attack in this context refers to only the most grave use of force. It is highly unlikely that acts of cyber espionage focused primarily on gathering intelligence or data could ever be characterised as an armed attack under this definition.

Similarly, while countermeasures (a broad category of temporary, reversible measures designed to induce a state to cease its wrongful conduct) are allowed under international law in certain circumstances, the conditions imposed on these mean they are of limited use in the context of cyber attacks. For example, in all but the most urgent circumstances, an injured state must notify the responsible state of the decision to take countermeasures and offer to negotiate with them before any countermeasures are actually taken. Such procedural requirements are simply impractical when responding to cyber attacks, given their potential speed and reach.

Cyber attacks by foreign states pose a real and growing threat to Australia. Unfortunately, the existing international law framework provides little effective protection or recourse. This makes it even more important for Australia to ensure we are doing everything possible to protect ourselves and our democratic institutions from cyber attacks.

Loading...
Don't miss any update on this topic

Create a free account and access your personalized content collection with our latest publications and analyses.

Sign up for free

License and Republishing

World Economic Forum articles may be republished in accordance with the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International Public License, and in accordance with our Terms of Use.

The views expressed in this article are those of the author alone and not the World Economic Forum.

Stay up to date:

Internet Governance

Related topics:
CybersecurityGlobal CooperationGeographies in Depth
Share:
The Big Picture
Explore and monitor how Internet Governance is affecting economies, industries and global issues
A hand holding a looking glass by a lake
Crowdsource Innovation
Get involved with our crowdsourced digital platform to deliver impact at scale
World Economic Forum logo
Global Agenda

The Agenda Weekly

A weekly update of the most important issues driving the global agenda

Subscribe today

You can unsubscribe at any time using the link in our emails. For more details, review our privacy policy.

5 ways to achieve effective cyber resilience

Filipe Beato and Jamie Saunders

November 21, 2024

We asked 6 tech strategy leaders how they're promoting security and reliability. Here's what they said

About us

Engage with us

  • Sign in
  • Partner with us
  • Become a member
  • Sign up for our press releases
  • Subscribe to our newsletters
  • Contact us

Quick links

Language editions

Privacy Policy & Terms of Service

Sitemap

© 2024 World Economic Forum