"“They’re more the death-by-a-thousand cuts thing in terms of crime and espionage,” said Scott Shackelford, an assistant professor of business law at Indiana University’s Kelley School of Business.
“When you see countries such as some in West Africa that have pretty rapidly expanding broadband access and in some cases pretty weak governance, that can result in them becoming havens for cybercrime, whether the administration wants that to happen or not,” said Shackelford. Weak security measures in Chinese and Russian consumer technology also let hackers route attacks through those countries, taking advantage of both technical vulnerabilities and those countries’ already-negative reputations.
China “has some of the most porous networks in the world,” Shackelford sais. “So even though they might be the source of a significant number of attacks, I think it’s probably also the case that other groups are routing their attacks through China because it’s such an easy scapegoat.”
“When you’re applying that old law, you’re usually relying on analogies,” Shackelford said. “The problem is when your analogies break down. When you’re applying law by analogy, the integrity of your analysis is only as good as your analogy. When cyber operations don’t look like [a] conventional bombing run, that’s where we begin to run into problems.”
“We don’t have, at the international level, a defined burden of proof yet on how much evidence should be necessary to attribute, for example, the actions of non-state actors, like organized crime, back to a government that’s pulling the strings,” Shackelford said."